chore(deps): update dependency validator to v13.15.22 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
validator	13.12.0 → 13.15.22

---

validator.js has a URL validation bypass vulnerability in its isURL function

CVE-2025-56200 / GHSA-9965-vmph-33xx

More information

Details

A URL validation bypass vulnerability exists in validator.js prior to version 13.15.20. The isURL() function uses '://' as a delimiter to parse protocols, while browsers use ':' as the delimiter. This parsing difference allows attackers to bypass protocol and domain validation by crafting URLs leading to XSS and Open Redirect attacks.

Severity

• CVSS Score: 6.1 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References

• https://nvd.nist.gov/vuln/detail/CVE-2025-56200
• https://gist.github.com/junan-98/27ae092aa40e2a057d41a0f95148f666
• https://gist.github.com/junan-98/a93130505b258b9e4ec9f393e7533596
• https://github.com/validatorjs/validator.js
• http://validatorjs.com
• https://github.com/validatorjs/validator.js/issues/2600
• https://github.com/validatorjs/validator.js/pull/2608
• https://github.com/validatorjs/validator.js/commit/cbef5088f02d36caf978f378bb845fe49bdc0809
• https://github.com/validatorjs/validator.js/releases/tag/13.15.20
• https://github.com/advisories/GHSA-9965-vmph-33xx

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Validator is Vulnerable to Incomplete Filtering of One or More Instances of Special Elements

CVE-2025-12758 / GHSA-vghf-hv5q-vc2g

More information

Details

Versions of the package validator before 13.15.22 are vulnerable to Incomplete Filtering of One or More Instances of Special Elements in the isLength() function that does not take into account Unicode variation selectors (\uFE0F, \uFE0E) appearing in a sequence which lead to improper string length calculation. This can lead to an application using isLength for input validation accepting strings significantly longer than intended, resulting in issues like data truncation in databases, buffer overflows in other system components, or denial-of-service.

Severity

• CVSS Score: 7.7 / 10 (High)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

References

• https://nvd.nist.gov/vuln/detail/CVE-2025-12758
• https://github.com/validatorjs/validator.js/pull/2616
• https://gist.github.com/koral--/ad31208b25b9e3d1e2e35f1d4d72572e
• https://security.snyk.io/vuln/SNYK-JS-VALIDATOR-13653476
• https://github.com/validatorjs/validator.js/commit/d457ecaf55b0f3d8bd379d82757425d0d13dd382
• http://seclists.org/fulldisclosure/2026/Jan/27
• https://github.com/advisories/GHSA-vghf-hv5q-vc2g

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

validatorjs/validator.js (validator)

v13.15.22

Compare Source

Fixes, New Locales and Enhancements

• #​2622 isURL: fix regression with hostnames with ports @​mbtools
• #​2616 isLength: improve handling Unicode variation selectors @​koral--
• Doc fixes and others:
  • #​2621 @​mbtools

v13.15.20

Compare Source

Fixes, New Locales and Enhancements

• #​2556 isMobilePhone: add ar-QA locale @​WardKhaddour
• #​2576 isAlpha/isAlphanuneric: add Indic locales (ta-IN, te-IN, kn-IN, ml-IN, gu-IN, pa-IN, or-IN) @​avadootharajesh
• #​2574 isBase64: improve padding regex @​KrayzeeKev
• #​2584 isVAT: improve FR locale @​iamAmer
• #​2608 isURL: improve protocol detection. Resolves CVE-2025-56200 @​theofidry
• Doc fixes and others:
  • #​2563 @​stoneLeaf
  • #​2581 @​camillobruni

v13.15.15

Compare Source

Fixes, New Locales and Enhancements

• isMobilePhone
  • #​2514 improve el-CY locale @​rezk2ll
  • #​2512 improve pt-AO locale @​renaldodev
  • #​2502 improve ar-OM locale @​tomcastro
• #​2089 isIP: allow usage of option object @​pixelbucket-dev
• #​2526 isPassportNumber: improve CA locale @​evanbechtol
• #​2491 isBase64: improve validation based on RFC4648 @​aseyfpour
• #​2479 isPostalCode: improve FR locale @​Rajput-Balram
• #​2088 isBefore: allow usage of option object @​pixelbucket-dev
• #​2346 isRgbColor: allow second digit in rgba alpha value @​controlol
• #​2453 isIP: improve IPv6 regex @​ShreySinha02
• #​2052 isPostalCode: add PK locale @​mateeni-dev
• #​2529 isPostalCode: improve TW locale @​Crocsx
• #​2550 isPassportNumber: improve US locale @​yitzchak-schechter
• #​2553 isUUID: add loose option @​bc-m
• #​2551 isPostalCode: add BD locale @​tanvirrb
• #​2555 isLicensePlate: improve pt-PT locale @​castrosu
• Doc fixes and others:
  • #​2372 @​EmersonRabelo
  • #​2538 @​WikiRik
  • #​2539 @​WikiRik
  • #​2540 @​WikiRik
  • #​2549 @​WikiRik
  • #​2537 @​sgress454

v13.15.0

Compare Source

New Features / Validators

• #​2399 isISO31661Numeric @​RobinvanderVliet
• #​2294 isULID @​arafatkn
• #​2215 isISO15924 @​xDivisionByZerox

Fixes, New Locales and Enhancements

• isMobilePhone
  • #​2395 add es-GT locale @​ignaciosuarezquilis
  • #​1971 improve en-GB locale @​ihmpavel
  • #​2359 improve uk-UA locale @​arttiger
  • #​2350 improve ky-KG locale @​sadraliev
  • #​2482 improve en-ZM locale @​sonikishan
  • #​2362 improve en-GH locale @​NanaAb-116
  • #​2500 add mk-MK locale @​eshward95
  • #​2534 improve sq-AL locale @​nichoola
• #​2406 isBtcAddress support all address formats and testnets @​madoke
• #​2339 isIBAN improve VG regex @​ST-DDT
• #​2332 isISO4217 update currency codes @​cbodtorf
• #​2291 isIdentityCard add PK locale @​Daniyal-Qureshi
• #​2414 isEmail fix blacklist_chars @​keshavlingala
• #​2416 isInt/isFloat handle undefined and null values @​Daniyal-Qureshi
• #​2415 isPostalCode add CO locale @​jorgevrgs
• #​2404 isPassportNumber export passportNumberLocales @​derekparnell
• #​2029 isRgbColor add allowSpaces option @​a-h-i
• #​2421 isUUID require valid variant field and require RFC9562 UUID in version all @​broofa
• #​2439 isURL add max_allowed_length option @​pinkiesky
• #​2437 isEmail reject starting with double quotes @​code0emperor
• #​2333 isLicensePlate add en-SG locale @​Sabarinathan07
• #​2441 normalizeEmail add yandex_convert_yandexru option @​AayushGH
• #​2443 isDate return false instead of Error in certain cases @​pano9000
• #​2474 isLength add discreteLengths option @​Suven-p
• #​2481 isDate disallow mismatching length in strictMode @​sonikishan
• #​2492 isISO6346 set check digit to 0 if remainder is 10 @​joelcuy
• #​2493 isPostalCode improve BR locale @​ticmaisdev
• #​2494 isEmail allow regexp in host_whitelist and host_blacklist @​weikangchia
• #​2518 isIBAN improve IE/PS regex @​Tarasz57
• Doc fixes and others:
  • #​2402 @​BibhushanKarki
  • #​2394 @​RobinvanderVliet
  • #​1732 @​alguerocode
  • #​2413 @​rubiin
  • #​2408 @​profnandaa
  • #​2411 @​rubiin
  • #​2325 @​ovarn
  • #​2418 @​ihmpavel
  • #​2323 @​ovarn
  • #​2423 @​rubiin
  • #​2409 @​profnandaa
  • #​2442 @​pano9000

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.