## Valibot v1.2.0 Patches Critical ReDoS Vulnerability in Emoji Regex (CVE-2025-66020)
A critical security vulnerability in the popular TypeScript-first schema validation library, Valibot, has been patched in its latest release. The flaw, tracked as CVE-2025-66020, resides in the `emoji` action's `EMOJI_REGEX`. This regular expression is vulnerable to a Regular Expression Denial of Service (ReDoS) attack, where a short, maliciously crafted input string—under 100 characters—can cause the regex engine to stall for minutes, consuming excessive CPU time and leading to a complete Denial of Service (DoS) for the application.

The vulnerability was disclosed via a GitHub Security Advisory (GHSA-vqpr-j7v3-hqw9) and has been addressed in Valibot version 1.2.0. The update, flagged as a security fix, moves the dependency from version 1.1.0 to 1.2.0. This is not a routine feature update; it is a mandatory patch for a security flaw that could be exploited to crash any service using the affected `emoji` validator without warning.

For developers and organizations relying on Valibot, this creates immediate pressure to update dependencies. The ease of exploitation—a simple, short string—makes this a high-risk vulnerability for production systems. Automated dependency management tools like Renovate are already generating pull requests to apply the fix. Failure to merge this update leaves applications exposed to trivial DoS attacks that could degrade service availability and performance, underscoring the critical importance of proactive dependency management in the software supply chain.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: cybersecurity, vulnerability, ReDoS, npm, open-source
- **Credibility**: unverified
- **Published**: 2026-03-25 16:27:19
- **ID**: 33647
- **URL**: https://whisperx.ai/en/intel/33647