{"id":"CVE-2025-56200","details":"A URL validation bypass vulnerability exists in validator.js through version 13.15.15. The isURL() function uses '://' as a delimiter to parse protocols, while browsers use ':' as the delimiter. This parsing difference allows attackers to bypass protocol and domain validation by crafting URLs leading to XSS and Open Redirect attacks.","aliases":["GHSA-9965-vmph-33xx"],"modified":"2026-04-10T05:30:09.201188Z","published":"2025-09-30T18:15:50.307Z","related":["CGA-gj7f-j7mr-mj88"],"references":[{"type":"WEB","url":"http://validatorjs.com"},{"type":"PACKAGE","url":"https://github.com/validatorjs/validator.js"},{"type":"EVIDENCE","url":"https://gist.github.com/junan-98/27ae092aa40e2a057d41a0f95148f666"},{"type":"EVIDENCE","url":"https://gist.github.com/junan-98/a93130505b258b9e4ec9f393e7533596"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/validatorjs/validator.js","events":[{"introduced":"0"},{"last_affected":"3847c6f90192bf9eec1aabc1bcb33e33d5810881"}],"database_specific":{"versions":[{"introduced":"validator.js"},{"last_affected":"13.15.15."}]}}],"versions":["0.5.0","1.0.0","1.1.0","1.1.2","1.2.0","1.2.1","1.2.2","1.3.0","1.4.0","1.5.0","1.5.1","10.0.0","10.1.0","10.10.0","10.11.0","10.2.0","10.3.0","10.4.0","10.5.0","10.6.0","10.7.0","10.7.1","10.8.0","10.9.0","11.0.0","11.1.0","12.0.0","12.1.0","12.2.0","13.0.0","13.1.0","13.1.1","13.11.0","13.12.0","13.15.0","13.15.15","13.5.0","13.6.0","13.6.1","13.7.0","13.9.0","2.0.0","2.1.0","3.0.0","3.1.0","3.10.0","3.11.0","3.11.1","3.11.2","3.12.0","3.13.0","3.14.0","3.14.1","3.15.0","3.16.0","3.16.1","3.16.2","3.17.0","3.17.1","3.17.2","3.18.0","3.18.1","3.19.0","3.19.1","3.2.0","3.2.1","3.20.0","3.21.0","3.22.0","3.22.1","3.22.2","3.23.0","3.24.0","3.25.0","3.26.0","3.27.0","3.28.0","3.29.0","3.3.0","3.30.0","3.31.0","3.32.0","3.33.0","3.34.0","3.35.0","3.36.0","3.37.0","3.38.0","3.39.0","3.4.0","3.40.0","3.40.1","3.41.0","3.41.1","3.41.2","3.41.3","3.42.0","3.5.0","3.5.1","3.6.0","3.7.0","3.8.0","3.9.0","4.0.0","4.0.1","4.0.2","4.0.3","4.0.4","4.0.5","4.0.6","4.1.0","4.2.0","4.3.0","4.4.0","4.4.1","4.5.0","4.5.1","4.5.2","4.6.0","4.6.1","4.7.0","4.7.1","4.8.0","4.9.0","5.0.0","5.1.0","5.2.0","5.3.0","5.4.0","5.5.0","5.6.0","5.7.0","6.0.0","6.1.0","6.2.0","6.2.1","6.3.0","7.0.0","7.1.0","7.2.0","8.0.0","8.1.0","8.2.0","9.0.0","9.1.0","9.1.1","9.1.2","9.2.0","9.3.0","9.4.0","9.4.1","v13.1.17"],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"3.15.15"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-56200.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}