Validator Incomplete Unicode Length Validation Vulnerability Allowing Excessive String Lengths

A vulnerability exists in the 'validator' package, specifically in versions prior to 13.15.22, within the 'isLength()' function. This vulnerability arises from improper handling of Unicode variation selectors, which can be exploited to bypass maximum length restrictions. As a result, applications may accept strings that are significantly longer than intended. This flaw can lead to various issues, such as data truncation in databases, buffer overflows in other system components, or denial-of-service conditions.

Impact

Exploitation of this vulnerability can cause applications to accept overly long strings, potentially leading to data management issues, memory corruption through buffer overflows, or service disruptions.

Reproduction

The vulnerability can be reproduced by using the 'validator' package version prior to 13.15.22 and calling the 'isLength()' function with a string that includes multiple Unicode variation selectors. The function will incorrectly validate the string length, allowing it to pass checks that it should not.

Remediation

Users are advised to upgrade the 'validator' package to version 13.15.22 or higher.