Validator.js URL Validation Bypass Vulnerability Allowing XSS and Open Redirect

A URL validation bypass vulnerability has been identified in Validator.js, affecting versions through 13.15.15. The issue arises in the isURL() function, which incorrectly uses '://' as a delimiter for parsing protocols, contrary to browser behavior that recognizes ':' as the delimiter. This discrepancy enables attackers to craft URLs that bypass protocol and domain validation, potentially leading to Cross-Site Scripting (XSS) and Open Redirect vulnerabilities.

Impact

Exploitation of this vulnerability allows attackers to bypass URL validation, creating opportunities for Open Redirect and XSS attacks. Such XSS attacks could be leveraged for more severe consequences, including Account Takeover (ATO) and, in certain contexts, Remote Code Execution (RCE).

Reproduction

To reproduce this vulnerability, use the isURL() function from the Validator.js library with a crafted URL that exploits the validation bypass. The URL should be designed to bypass protocol and domain checks, such as by using 'javascript:' URLs or by manipulating how the URL is parsed. This can be done by including authentication information or by using a domain that is whitelisted in the validation options.