Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-66020

CVE-2025-66020: Valibot ReDoS Denial of Service Vulnerability

CVE-2025-66020 is a Regular Expression Denial of Service flaw in Valibot's EMOJI_REGEX that allows attackers to cause excessive CPU consumption with minimal input. This article covers technical details, affected versions, and patches.

Published:

CVE-2025-66020 Overview

CVE-2025-66020 is a Regular Expression Denial of Service (ReDoS) vulnerability affecting Valibot, a popular data validation library. The vulnerability exists in the EMOJI_REGEX pattern used within the emoji action feature. An attacker can craft a malicious input string of fewer than 100 characters that causes the regex engine to consume excessive CPU time, potentially lasting several minutes, effectively rendering the application unresponsive.

Critical Impact

Applications using Valibot versions 0.31.0 through 1.1.0 for emoji validation are vulnerable to denial of service attacks through maliciously crafted input strings.

Affected Products

  • Valibot versions 0.31.0 through 1.1.0
  • Applications utilizing the emoji action validation feature
  • Node.js and JavaScript environments running vulnerable Valibot versions

Discovery Timeline

  • 2025-11-26 - CVE-2025-66020 published to NVD
  • 2026-04-15 - Last updated in NVD database

Technical Details for CVE-2025-66020

Vulnerability Analysis

This vulnerability falls under CWE-1333 (Inefficient Regular Expression Complexity). The root issue stems from the regex pattern used in Valibot's emoji validation action, which contains nested quantifiers or overlapping patterns that cause catastrophic backtracking when processing specially crafted input.

ReDoS vulnerabilities occur when a regular expression's worst-case evaluation time grows exponentially with input size. In this case, the EMOJI_REGEX pattern exhibits this behavior, allowing an attacker to craft short input strings (under 100 characters) that force the regex engine into excessive backtracking cycles. This can consume CPU resources for extended periods, effectively causing a denial of service condition.

The attack requires no authentication and can be triggered remotely through any application endpoint that processes user input through Valibot's emoji validation. Since the attack vector is network-accessible and requires no special privileges, applications exposed to untrusted input are particularly at risk.

Root Cause

The vulnerability originates from inefficient regular expression design in the EMOJI_REGEX pattern within Valibot's emoji action module. The regex contains patterns that lead to exponential time complexity during evaluation, particularly when processing strings with specific character sequences that cause the regex engine to explore numerous backtracking paths before determining a match or non-match.

Attack Vector

The attack exploits the network-accessible nature of applications using Valibot for input validation. An attacker can submit a crafted string through any form, API endpoint, or data input mechanism that utilizes the vulnerable emoji validation action. The malicious payload requires no authentication to deliver, and a single request with a carefully constructed string can cause significant CPU exhaustion on the target server.

The attack methodology involves:

  1. Identifying an application using Valibot's emoji validation
  2. Crafting an input string with patterns that trigger catastrophic backtracking
  3. Submitting the payload through any user-facing input channel
  4. Observing the target application become unresponsive during regex evaluation

For technical implementation details, refer to the GitHub Security Advisory GHSA-vqpr-j7v3-hqw9.

Detection Methods for CVE-2025-66020

Indicators of Compromise

  • Unexplained CPU spikes on servers processing user input through Valibot validation
  • Application threads hanging or timing out during emoji validation operations
  • Increased response latency correlated with specific input patterns
  • Server resource exhaustion alerts without corresponding increase in legitimate traffic

Detection Strategies

  • Monitor application logs for timeout errors related to validation operations
  • Implement regex evaluation time limits and alert on excessive processing duration
  • Deploy dependency scanning tools to identify vulnerable Valibot versions in your codebase
  • Conduct software composition analysis (SCA) to track vulnerable library versions

Monitoring Recommendations

  • Configure CPU usage alerts for processes handling input validation
  • Establish baseline response times for validation endpoints and alert on anomalies
  • Enable detailed logging for validation failures and timeouts
  • Implement request rate limiting on endpoints accepting user-controlled input

How to Mitigate CVE-2025-66020

Immediate Actions Required

  • Upgrade Valibot to version 1.2.0 or later immediately
  • Audit applications to identify all instances of emoji action usage
  • Implement input length restrictions as a temporary defense layer
  • Configure request timeouts to limit impact of potential exploitation attempts

Patch Information

The vulnerability has been addressed in Valibot version 1.2.0. The fix involves replacing the vulnerable EMOJI_REGEX with a more efficient pattern that avoids catastrophic backtracking scenarios. Organizations should update their package dependencies to the patched version.

For patch details, see the commit cfb799db301a953a0950d5c05a34a3ab121262dc.

Workarounds

  • Implement strict input length validation before passing data to emoji validation (limit to reasonable emoji string lengths)
  • Add request timeout configurations at the application or reverse proxy level
  • Consider temporarily disabling emoji validation if not critical to application functionality
  • Deploy web application firewall (WAF) rules to block requests with suspicious character patterns
bash
# Example: Update Valibot to patched version
npm update valibot@^1.2.0

# Or for yarn users
yarn upgrade valibot@^1.2.0

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.