GHSA-VQPR-J7V3-HQW9
Vulnerability from github – Published: 2025-11-26 19:33 – Updated: 2025-11-26 19:33Summary
The EMOJI_REGEX used in the emoji action is vulnerable to a Regular Expression Denial of Service (ReDoS) attack. A short, maliciously crafted string (e.g., <100 characters) can cause the regex engine to consume excessive CPU time (minutes), leading to a Denial of Service (DoS) for the application.
Details
The ReDoS vulnerability stems from "catastrophic backtracking" in the EMOJI_REGEX. This is caused by ambiguity in the regex pattern due to overlapping character classes.
Specifically, the class \p{Emoji_Presentation} overlaps with more specific classes used in the same alternation, such as [\u{1F1E6}-\u{1F1FF}] (regional indicator symbols used for flags) and \p{Emoji_Modifier_Base}.
When the regex engine attempts to match a string that almost matches but ultimately fails (like the one in the PoC), this ambiguity forces it to explore an exponential number of possible paths. The matching time increases exponentially with the length of the crafted input, rather than linearly.
PoC
The following code demonstrates the vulnerability.
import * as v from 'valibot';
const schema = v.object({
x: v.pipe(v.string(), v.emoji()),
});
const attackString = '\u{1F1E6}'.repeat(49) + '0';
console.log(`Input length: ${attackString.length}`);
console.log('Starting parse... (This will take a long time)');
// On my machine, a length of 99 takes approximately 2 minutes.
console.time();
try {
v.parse(schema, {x: attackString });
} catch (e) {}
console.timeEnd();
Impact
Any project using Valibot's emoji validation on user-controllable input is vulnerable to a Denial of Service attack.
An attacker can block server resources (e.g., a web server's event loop) by submitting a short string to any endpoint that uses this validation. This is particularly dangerous because the attack string is short enough to bypass typical input length restrictions (e.g., maxLength(100)).
Recommended Fix
The root cause is the overlapping character classes. This can be resolved by making the alternatives mutually exclusive, typically by using negative lookaheads ((?!...)) to subtract the specific classes from the more general one.
The following modified EMOJI_REGEX applies this principle:
export const EMOJI_REGEX: RegExp =
// eslint-disable-next-line redos-detector/no-unsafe-regex, regexp/no-dupe-disjunctions -- false positives
/^(?:[\u{1F1E6}-\u{1F1FF}]{2}|\u{1F3F4}[\u{E0061}-\u{E007A}]{2}[\u{E0030}-\u{E0039}\u{E0061}-\u{E007A}]{1,3}\u{E007F}|(?:\p{Emoji}\uFE0F\u20E3?|\p{Emoji_Modifier_Base}\p{Emoji_Modifier}?|(?![\p{Emoji_Modifier_Base}\u{1F1E6}-\u{1F1FF}])\p{Emoji_Presentation})(?:\u200D(?:\p{Emoji}\uFE0F\u20E3?|\p{Emoji_Modifier_Base}\p{Emoji_Modifier}?|(?![\p{Emoji_Modifier_Base}\u{1F1E6}-\u{1F1FF}])\p{Emoji_Presentation}))*)+$/u;
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "valibot"
},
"ranges": [
{
"events": [
{
"introduced": "0.31.0"
},
{
"fixed": "1.2.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-66020"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": true,
"github_reviewed_at": "2025-11-26T19:33:34Z",
"nvd_published_at": "2025-11-26T02:15:49Z",
"severity": "HIGH"
},
"details": "### Summary\n\nThe `EMOJI_REGEX` used in the `emoji` action is vulnerable to a Regular Expression Denial of Service (ReDoS) attack. A short, maliciously crafted string (e.g., \u003c100 characters) can cause the regex engine to consume excessive CPU time (minutes), leading to a Denial of Service (DoS) for the application.\n\n### Details\n\nThe ReDoS vulnerability stems from \"catastrophic backtracking\" in the `EMOJI_REGEX`. This is caused by ambiguity in the regex pattern due to overlapping character classes.\n\nSpecifically, the class `\\p{Emoji_Presentation}` overlaps with more specific classes used in the same alternation, such as `[\\u{1F1E6}-\\u{1F1FF}]` (regional indicator symbols used for flags) and `\\p{Emoji_Modifier_Base}`.\n\nWhen the regex engine attempts to match a string that almost matches but ultimately fails (like the one in the PoC), this ambiguity forces it to explore an exponential number of possible paths. The matching time increases exponentially with the length of the crafted input, rather than linearly.\n\n### PoC\n\nThe following code demonstrates the vulnerability.\n\n```javascript\nimport * as v from \u0027valibot\u0027;\n\nconst schema = v.object({\n x: v.pipe(v.string(), v.emoji()),\n});\n\nconst attackString = \u0027\\u{1F1E6}\u0027.repeat(49) + \u00270\u0027;\n\nconsole.log(`Input length: ${attackString.length}`);\nconsole.log(\u0027Starting parse... (This will take a long time)\u0027);\n\n// On my machine, a length of 99 takes approximately 2 minutes.\nconsole.time();\ntry {\n v.parse(schema, {x: attackString });\n} catch (e) {}\nconsole.timeEnd();\n```\n\n### Impact\n\nAny project using Valibot\u0027s `emoji` validation on user-controllable input is vulnerable to a Denial of Service attack.\n\nAn attacker can block server resources (e.g., a web server\u0027s event loop) by submitting a short string to any endpoint that uses this validation. This is particularly dangerous because the attack string is short enough to bypass typical input length restrictions (e.g., maxLength(100)).\n\n### Recommended Fix\n\nThe root cause is the overlapping character classes. This can be resolved by making the alternatives mutually exclusive, typically by using negative lookaheads (`(?!...)`) to subtract the specific classes from the more general one.\n\nThe following modified `EMOJI_REGEX` applies this principle:\n\n```javascript\nexport const EMOJI_REGEX: RegExp =\n // eslint-disable-next-line redos-detector/no-unsafe-regex, regexp/no-dupe-disjunctions -- false positives\n /^(?:[\\u{1F1E6}-\\u{1F1FF}]{2}|\\u{1F3F4}[\\u{E0061}-\\u{E007A}]{2}[\\u{E0030}-\\u{E0039}\\u{E0061}-\\u{E007A}]{1,3}\\u{E007F}|(?:\\p{Emoji}\\uFE0F\\u20E3?|\\p{Emoji_Modifier_Base}\\p{Emoji_Modifier}?|(?![\\p{Emoji_Modifier_Base}\\u{1F1E6}-\\u{1F1FF}])\\p{Emoji_Presentation})(?:\\u200D(?:\\p{Emoji}\\uFE0F\\u20E3?|\\p{Emoji_Modifier_Base}\\p{Emoji_Modifier}?|(?![\\p{Emoji_Modifier_Base}\\u{1F1E6}-\\u{1F1FF}])\\p{Emoji_Presentation}))*)+$/u;\n```",
"id": "GHSA-vqpr-j7v3-hqw9",
"modified": "2025-11-26T19:33:34Z",
"published": "2025-11-26T19:33:34Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/open-circle/valibot/security/advisories/GHSA-vqpr-j7v3-hqw9"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66020"
},
{
"type": "WEB",
"url": "https://github.com/open-circle/valibot/commit/cfb799db301a953a0950d5c05a34a3ab121262dc"
},
{
"type": "PACKAGE",
"url": "https://github.com/open-circle/valibot"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Valibot has a ReDoS vulnerability in `EMOJI_REGEX`"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.