2025-09-30 00:00:00
mitre
PUBLISHED
A URL validation bypass vulnerability exists in validator.js through version 13.15.15. The isURL() function uses :// as a delimiter to parse protocols, while browsers use : as the delimiter. This parsing difference allows attackers to bypass protocol and domain validation by crafting URLs leading to XSS and Open Redirect attacks.