CVE-2025-12758: Unicode Variation Selectors Bypass in 'validator' library (isLength)
好的,我现在需要帮用户总结一篇文章的内容,控制在100个字以内。用户的要求是直接写描述,不需要开头的“文章内容总结”之类的。 首先,我看看这篇文章讲的是什么。标题是“Full Disclosure”,然后是邮件列表存档。内容主要是Karol Wrótniak报告了一个漏洞,存在于JavaScript库'validator'中。 文章提到isLength()函数处理Unicode变体选择符有问题。攻击者可以注入很多零宽度字符,导致库报告的长度比实际小很多。这会导致验证绕过、数据库截断和DoS攻击。 漏洞的CVE ID是CVE-2025-12758,类型是CWE-792,影响版本是小于13.15.22的'validator'包。修复版本是13.15.22,CVSS评分7.5,属于高危。 所以,我需要把这些关键点浓缩到100字以内。要包括漏洞名称、问题、影响和修复信息。 可能的结构:漏洞名称、受影响的函数、问题描述、攻击后果、修复版本和CVSS评分。 这样组织一下:JavaScript库'validator'中的isLength()函数存在漏洞,未能正确处理Unicode变体选择符,导致长度计算错误。攻击者可注入大量零宽度字符,引发验证绕过、数据库截断及DoS攻击。该漏洞已修复于版本13.15.22,CVSS评分7.5。 检查一下字数是否在限制内,并确保信息准确无误。 </think> JavaScript库`validator`中的`isLength()`函数存在漏洞,未能正确处理Unicode变体选择符(U+FE0E和U+FE0F),导致字符串长度计算错误。攻击者可利用此漏洞注入大量零宽度字符,造成验证绕过、数据库截断及拒绝服务(DoS)攻击。该漏洞已修复于版本13.15.22,CVSS评分为7.5(高危)。 2026-1-29 21:30:30 Author: seclists.org(查看原文) 阅读量:0 收藏
好的,我现在需要帮用户总结一篇文章的内容,控制在100个字以内。用户的要求是直接写描述,不需要开头的“文章内容总结”之类的。 首先,我看看这篇文章讲的是什么。标题是“Full Disclosure”,然后是邮件列表存档。内容主要是Karol Wrótniak报告了一个漏洞,存在于JavaScript库'validator'中。 文章提到isLength()函数处理Unicode变体选择符有问题。攻击者可以注入很多零宽度字符,导致库报告的长度比实际小很多。这会导致验证绕过、数据库截断和DoS攻击。 漏洞的CVE ID是CVE-2025-12758,类型是CWE-792,影响版本是小于13.15.22的'validator'包。修复版本是13.15.22,CVSS评分7.5,属于高危。 所以,我需要把这些关键点浓缩到100字以内。要包括漏洞名称、问题、影响和修复信息。 可能的结构:漏洞名称、受影响的函数、问题描述、攻击后果、修复版本和CVSS评分。 这样组织一下:JavaScript库'validator'中的isLength()函数存在漏洞,未能正确处理Unicode变体选择符,导致长度计算错误。攻击者可注入大量零宽度字符,引发验证绕过、数据库截断及DoS攻击。该漏洞已修复于版本13.15.22,CVSS评分7.5。 检查一下字数是否在限制内,并确保信息准确无误。 </think> JavaScript库`validator`中的`isLength()`函数存在漏洞,未能正确处理Unicode变体选择符(U+FE0E和U+FE0F),导致字符串长度计算错误。攻击者可利用此漏洞注入大量零宽度字符,造成验证绕过、数据库截断及拒绝服务(DoS)攻击。该漏洞已修复于版本13.15.22,CVSS评分为7.5(高危)。 2026-1-29 21:30:30 Author: seclists.org(查看原文) 阅读量:0 收藏
Full Disclosure mailing list archives
From: Karol Wrótniak <karol.wrotniak () droidsonroids pl>
Date: Wed, 28 Jan 2026 19:24:40 +0100
Summary
=======
A vulnerability was discovered in the popular JavaScript library
'validator'.
The isLength() function incorrectly handles Unicode Variation Selectors
(U+FE0E and U+FE0F). An attacker can inject thousands of these zero-width
characters into a string, causing the library to report a much smaller
perceived length than the actual byte size. This leads to validation
bypasses,
potential database truncation, and Denial of Service (DoS).
Metadata
========
CVE ID: CVE-2025-12758
Vulnerability Type: Incomplete Filtering of Special Elements (CWE-792)
Affected Package: validator (npm)
Affected Versions: < 13.15.22
Fixed Version: 13.15.22
CVSS Score: 7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
Description
===========
The 'validator' library's isLength() method is widely used to enforce
constraints on input data. However, the implementation failed to account
for
Unicode Variation Selectors. These are zero-width code points that modify
the
presentation of the preceding character (e.g., changing a text character
into
an emoji).
Because these characters have zero width but occupy bytes in memory (UTF-16
surrogate pairs or single code points depending on the environment), an
attacker can craft a payload that:
1. Appears to have a length of 1 (e.g., 'a' followed by 5000 variation
selectors).
2. isLength() reports it as length 1 or 2 (depending on internal logic).
3. The actual memory/storage size is massive (e.g., 10,000+ bytes).
Impact
======
- Denial of Service (DoS): Sending extremely large payloads that pass
length
checks can exhaust server memory or CPU during processing.
- Data Truncation: Databases with strict byte limits (e.g., VARCHAR(255))
may truncate the string, potentially leading to data corruption or
application logic errors.
- Security Bypass: Bypassing UI or API limits intended to prevent large
blobs of data.
Proof of Concept (PoC)
======================
const validator = require('validator');
// 'a' followed by many Variation Selector-16 (\uFE0F)
const payload = 'a' + '\uFE0F'.repeat(5000);
console.log("Actual length (chars):", payload.length); // 5001
console.log("Validator isLength(payload, {max: 5}):",
validator.isLength(payload, {max: 5}));
// In vulnerable versions, this returns 'true' because selectors
// were not properly counted or were ignored in a way that bypassed
// the total length check.
Fix
===
The issue was fixed in version 13.15.22 by implementing a surgical fix
that correctly identifies and counts valid Unicode pairs and variation
selectors, ensuring the reported length matches the actual data footprint
more accurately.
Timeline
========
- 2025-10-18: Vulnerability reported to maintainers by Karol Wrótniak.
- 2025-11-27: CVE-2025-12758 published.
- 2025-11-09: Fixed version 13.15.22 released.
References
==========
[1] https://www.thedroidsonroids.com/blog/when-zero-width-isnt-zero
[2] https://nvd.nist.gov/vuln/detail/CVE-2025-12758
[3] https://github.com/validatorjs/validator.js/releases/tag/13.15.22
--
*Karol Wrótniak *
Senior Android Developer
*/*
[image: Logo]
www.droidsonroids.com <https://www.thedroidsonroids.com/>
Wrocław, ul. Sikorskiego 26, 53-659 Poland
[image: Clutch Profile] <https://clutch.co/profile/droids-roids> [image:
Dribbble Profile] <https://dribbble.com/DroidsOnRoids> [image: Behance
Profile] <https://www.behance.net/droidsonroids> [image: Instagram Profile]
<https://www.instagram.com/droidsonroidsmobile/> [image: Github Profile]
<https://github.com/DroidsOnRoids> [image: X Profile]
<https://twitter.com/droidsonroids> [image: Facebook Profile]
<https://www.facebook.com/droidsonroids> [image: Linkedin Profile]
<https://pl.linkedin.com/company/droids-on-roids?trk=public_profile_topcard-current-company>
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/
Current thread:
- CVE-2025-12758: Unicode Variation Selectors Bypass in 'validator' library (isLength) Karol Wrótniak (Jan 29)
文章来源: https://seclists.org/fulldisclosure/2026/Jan/27
如有侵权请联系:admin#unsafe.sh
如有侵权请联系:admin#unsafe.sh