Incomplete Filtering of One or More Instances of Special Elements

CVE-2025-12758

High

7.7/10

Summary

Versions of the package validator prior to 13.15.22 are vulnerable to Incomplete Filtering of One or More Instances of Special Elements in the "isLength()" function that does not take into account Unicode variation selectors (\uFE0F, \uFE0E) appearing in a sequence which lead to improper string length calculation. This can lead to an application using "isLength" for input validation accepting strings significantly longer than intended, resulting in issues like data truncation in databases, buffer overflows in other system components, or Denial-of-Service.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: NONE
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: NONE
Confidentiality Impact: NONE
Availability Impact: HIGH

CWE-792 - Incomplete Filtering of One or More Instances of Special Elements

The software receives data from an upstream component, but does not completely filter one or more instances of special elements before sending it to a downstream component.

References

Advisory Timeline

Published Nov 27, 2025

Incomplete Filtering of One or More Instances of Special Elements

CVE-2025-12758

Summary

CWE-792 - Incomplete Filtering of One or More Instances of Special Elements

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS