Publish GHSA-9965-vmph-33xx

advisory-database[bot] · advisory-database[bot] · commit 9aa36d9c3f18 · 2025-10-27T12:54:25.000Z
diff --git a/advisories/github-reviewed/2025/09/GHSA-9965-vmph-33xx/GHSA-9965-vmph-33xx.json b/advisories/github-reviewed/2025/09/GHSA-9965-vmph-33xx/GHSA-9965-vmph-33xx.json
@@ -1,13 +1,13 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-9965-vmph-33xx",
-  "modified": "2025-10-13T20:08:58Z",
+  "modified": "2025-10-27T12:53:01Z",
   "published": "2025-09-30T18:30:25Z",
   "aliases": [
     "CVE-2025-56200"
   ],
   "summary": "validator.js has a URL validation bypass vulnerability in its isURL function",
-  "details": "A URL validation bypass vulnerability exists in validator.js through version 13.15.15. The isURL() function uses '://' as a delimiter to parse protocols, while browsers use ':' as the delimiter. This parsing difference allows attackers to bypass protocol and domain validation by crafting URLs leading to XSS and Open Redirect attacks.",
+  "details": "A URL validation bypass vulnerability exists in validator.js prior to version 13.15.20. The isURL() function uses '://' as a delimiter to parse protocols, while browsers use ':' as the delimiter. This parsing difference allows attackers to bypass protocol and domain validation by crafting URLs leading to XSS and Open Redirect attacks.",
   "severity": [
     {
       "type": "CVSS_V3",
@@ -28,7 +28,7 @@
               "introduced": "0"
             },
             {
-              "last_affected": "13.15.15"
+              "fixed": "13.15.20"
             }
           ]
         }
@@ -44,6 +44,14 @@
       "type": "WEB",
       "url": "https://github.com/validatorjs/validator.js/issues/2600"
     },
+    {
+      "type": "WEB",
+      "url": "https://github.com/validatorjs/validator.js/pull/2608"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/validatorjs/validator.js/commit/cbef5088f02d36caf978f378bb845fe49bdc0809"
+    },
     {
       "type": "WEB",
       "url": "https://gist.github.com/junan-98/27ae092aa40e2a057d41a0f95148f666"
@@ -56,6 +64,10 @@
       "type": "PACKAGE",
       "url": "https://github.com/validatorjs/validator.js"
     },
+    {
+      "type": "WEB",
+      "url": "https://github.com/validatorjs/validator.js/releases/tag/13.15.20"
+    },
     {
       "type": "WEB",
       "url": "http://validatorjs.com"
