Valibot is a data validation library used to ensure that input conforms to a specific schema. In this case, the vulnerability arises from an incorrect Regular Expression Denial of Service (ReDoS) attack in versions 0.31.0 through 1.1.0. This can cause the regex engine to consume excessive CPU time, leading to a Denial of Service (DoS) for the application.
Affected versions: 100 If you don't recognise this software, you're probably not affected.
Upgrade to Valibot 1.2.0 or later from npm.
- Alternatively, apply immediate mitigations:
- Set emojis to an empty string in your configuration file (e.g., valibot.config.js) before running the application.
- Monitor for excessive CPU usage and take action if necessary.