CVE-2025-66020
BaseFortify
Publication date: 2025-11-26
Last updated on: 2025-11-26
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| valibot | valibot | 1.1.0 |
| valibot | valibot | 1.2.0 |
| valibot | valibot | 0.31.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1333 | The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Regular Expression Denial of Service (ReDoS) in the EMOJI_REGEX used by Valibot's emoji action in versions 0.31.0 to 1.1.0. A specially crafted short string (less than 100 characters) can cause the regex engine to consume excessive CPU time for minutes, leading to the application becoming unresponsive or unavailable.
How can this vulnerability impact me? :
The vulnerability can cause a Denial of Service (DoS) by making the application consume excessive CPU resources, potentially making it unavailable or unresponsive to legitimate users.
What immediate steps should I take to mitigate this vulnerability?
Upgrade Valibot to version 1.2.0 or later, where the vulnerability has been patched. Avoid using vulnerable versions (0.31.0 to 1.1.0) to prevent exposure to the ReDoS attack.