PatchSiren cyber security CVE debrief

CVE-2013-7452 Nodejs CVE debrief

CVE-2013-7452 describes a cross-site scripting filter bypass in the validator module for Node.js versions before 1.1.0. According to the NVD record, a remote attacker can use a crafted javascript: URI to bypass the module’s XSS filtering. The issue is classified as CWE-79 and carries a Medium CVSS score of 6.1.

Vendor: Nodejs
Product: CVE-2013-7452
CVSS: MEDIUM 6.1
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-01-23
Original CVE updated: 2026-05-13
Advisory published: 2017-01-23
Advisory updated: 2026-05-13

Who should care

Teams that used the Node.js validator module in web applications, especially any code path that relied on it to reject or sanitize user-supplied links or URIs. Security engineers and maintainers responsible for legacy Node.js dependencies should verify whether validator versions before 1.1.0 are still present in builds or deployed artifacts.

Technical summary

NVD lists the vulnerable range as node.js validator versions up to and including 1.0.4, with the fix implied by the cutoff at 1.1.0 in the CVE description. The flaw is an XSS filter bypass: a crafted javascript: URI can evade validation and potentially reach browser-executed contexts. NVD assigns CVSS 3.0 vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, reflecting network reachability, no privileges required, and user interaction.

Defensive priority

Moderate. The issue is not known to be in CISA KEV and there is no supplied evidence of ransomware use, but it directly affects XSS protections in a commonly reused validation component. Prioritize if the module is still in production or if application code depends on it for URL or input filtering.

Recommended defensive actions

Inventory applications and dependencies for validator versions at or below 1.0.4.
Upgrade to a non-vulnerable validator release at or above 1.1.0, or replace the module if it is no longer maintained in your stack.
Review any code that trusts validator output to block javascript: URIs or other user-controlled links.
Add server-side and client-side controls that do not rely on a single validation library for XSS protection.
Test affected applications for unsafe URI handling in the specific user flows that accept links or rich text.

Evidence notes

The CVE record was published on 2017-01-23 and later modified on 2026-05-13 in the supplied NVD data. NVD identifies the weakness as CWE-79 and includes the vulnerable CPE criteria for node.js validator versions through 1.0.4. The supplied references include an OSS Security mailing list post dated 2016-04-20 and a NodeSecurity advisory, which support the advisory lineage for this issue.

Official resources

CVE-2013-7452 CVE record
CVE.org
CVE-2013-7452 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Mailing List, Third Party Advisory
Mitigation or vendor reference
[email protected] - VDB Entry, Vendor Advisory

The supplied record shows the CVE published on 2017-01-23, with source references from 2016-04-20. This debrief uses the published CVE date for record timing and the referenced advisory dates only as supporting context.