The Package Validator is a JavaScript library used for input validation in web applications. It's designed to prevent common web vulnerabilities like SQL injection and cross-site scripting (XSS). However, due to a specific bug, it can lead to an incomplete filtering of special characters, allowing attackers to bypass security checks.
You're affected if you use Versions of the. Affected versions: 13.15.22 If you don't recognise this software, you're probably not affected.
To fix this vulnerability, upgrade to Package Validator version 13.15.22 or later. You can do this by running:
npm install validatorjs@^13.15.22
or
yarn add validatorjs@^13.15.22
Alternatively, you can apply the immediate mitigations until an official patch is available:
package.json file to include the following configuration:"validator": {
"filterOptions": ["\\uFE0F", "\\uFE0E"]
}
This will prevent the library from accepting strings with Unicode variation selectors.
npm config set validator.filterOptions '\\uFE0F\\uFE0E'
or
yarn config set validator.filterOptions '\\uFE0F\\uFE0E'