CVE-2025-56200

Published

Last updated

NVD

https://nvd.nist.gov/vuln/detail/CVE-2025-56200

Severity

6.1

Medium

CVSS V3

Description

A URL validation bypass vulnerability exists in validator.js through version 13.15.15. The isURL() function uses '://' as a delimiter to parse protocols, while browsers use ':' as the delimiter. This parsing difference allows attackers to bypass protocol and domain validation by crafting URLs leading to XSS and Open Redirect attacks.

References

https://images.chainguard.dev/security/CGA-97c9-7p5v-xcmf
https://github.com/advisories/GHSA-9965-vmph-33xx
https://images.chainguard.dev/security/CGA-6q6x-23mc-xxgq
https://images.chainguard.dev/security/CGA-4v7q-hr24-v9gp
https://github.com/validatorjs/validator.js
http://validatorjs.com
https://gist.github.com/junan-98/27ae092aa40e2a057d41a0f95148f666
https://gist.github.com/junan-98/a93130505b258b9e4ec9f393e7533596

Affected packages

Advisories are based on vulnerability information provided by Grype from Anchore. Learn how Chainguard creates security advisories.

CVE-2025-56200

Severity

Description

References

Affected packages

The trusted source for open source

Product

Solutions

Customers

Resources

Company