7.7

CVSS Score

4.0

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-12758

CVE-2025-12758: Validator is Vulnerable to Incomplete Filtering of One or More Instances of Special Elements

Versions of the package validator before 13.15.22 are vulnerable to Incomplete Filtering of One or More Instances of Special Elements in the isLength() function that does not take into account Unicode variation selectors (\uFE0F, \uFE0E) appearing in a sequence which lead to improper string length calculation. This can lead to an application using isLength for input validation accepting strings significantly longer than intended, resulting in issues like data truncation in databases, buffer overflows in other system components, or denial-of-service.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-12758

CVE-2025-12758:

7.7

CVSS Score

4.0

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
validator	npm	< 13.15.22	13.15.22

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability exists in the isLength function within the validator package. The function's purpose is to check if a string's length falls within a specified range. The flaw is in how the function calculates the string's length when Unicode variation selectors (U+FE0E, U+FE0F) are present. The original code used a regular expression that counted each individual variation selector. However, the Unicode standard specifies that a sequence of these selectors following a character should be treated as a single grapheme cluster, not adding to the visual length. By sending a string with multiple variation selectors in a sequence (e.g., 'A\uFE0F\uFE0F\uFE0F'), an attacker could make the isLength function calculate a much shorter length than the actual string length. This bypasses the intended validation. The patch addresses this by changing the regex to /[^\\uFE0F\\uFE0E][\\uFE0F\\uFE0E]/g, which only counts a variation selector if it is preceded by a character that is not a variation selector, thereby correcting the length calculation for sequences. The vulnerable function is clearly isLength as identified in the commit d457ecaf55b0f3d8bd379d82757425d0d13dd382 which modifies src/lib/isLength.js.

Vulnerable functions

isLength

src/lib/isLength.js

The `isLength` function is vulnerable because it incorrectly calculates the length of strings containing Unicode variation selectors. The original regex `(/(\\uFE0F|\\uFE0E)/g)` counts every occurrence of a variation selector, whereas sequences of these selectors should be treated as a single unit. This leads to an artificially low calculated length. As a result, an attacker can provide a string that bypasses the `isLength` check (e.g., is shorter than `max` length according to the function) but is actually much longer, potentially causing issues like data truncation, buffer overflows, or Denial of Service when processed by downstream components.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

7.7

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-12758: Validator is Vulnerable to Incomplete Filtering of One or More Instances of Special Elements

CVE-2025-12758:

7.7

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

7.7

7.7

Technical Details

Basic Information

Basic Information

CVE-2025-12758: Validator is Vulnerable to Incomplete Filtering of One or More Instances of Special Elements

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI