Skip to content

fix: bump valibot to ^1.2.0 to address ReDoS vulnerability #2304

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
DanielDerefaka wants to merge 2 commits into
base: master
Choose a base branch
from
Open

fix: bump valibot to ^1.2.0 to address ReDoS vulnerability #2304

DanielDerefaka wants to merge 2 commits into from
+5 −5

Conversation

@DanielDerefaka
Copy link

@DanielDerefaka DanielDerefaka commented Dec 22, 2025
edited
Loading

Summary

Bumps valibot from ^0.38.0 to ^1.2.0 to fix a HIGH severity ReDoS vulnerability in EMOJI_REGEX.

Security Advisory

Testing

  • Build passes
  • All 2660 unit tests pass

Fixes #2303

Contribution by Gittensor, see my contribution statistics at https://gittensor.io/miners/details?githubId=101010297

@DanielDerefaka
fix: bump valibot to ^1.2.0 to address ReDoS vulnerability
8594f87 
Bumps valibot from ^0.38.0 to ^1.2.0 to fix a HIGH severity ReDoS
vulnerability in EMOJI_REGEX (GHSA-vqpr-j7v3-hqw9).

All tests pass with the new version.

Fixes bitcoinjs#2303
@DanielDerefaka
Copy link
Author

DanielDerefaka commented Dec 29, 2025

@Sjors would you review this PR?

@jasonandjay
Copy link
Member

jasonandjay commented Dec 29, 2025

Okay, let's solve this problem.

@DanielDerefaka
Copy link
Author

DanielDerefaka commented Dec 31, 2025

@jasonandjay just checking if there's anything else needed for this to be merged?

junderw
junderw requested changes Dec 31, 2025
View reviewed changes
Copy link
Member

@junderw junderw left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am fine with bumping the dependency if it doesn't break anything.

But I don't understand how this affects us. If you could explain how the vulnerability affects this library I will treat this PR with more urgency.

Please remove the peer: true stuff.

@junderw
Copy link
Member

junderw commented Dec 31, 2025

The gitdiff job failure is probably due to all the peer: true stuff that was added for some reason.

@DanielDerefaka
fix: remove unintended peer:true additions from package-lock.json
1a1e39e 
Clean up package-lock.json to only contain the valibot version bump
without the spurious peer:true markers that npm automatically adds.
@DanielDerefaka
Copy link
Author

DanielDerefaka commented Dec 31, 2025
edited
Loading

Hi @junderw, thank you for the feedback!

I've removed the peer: true additions from package-lock.json - those were unintentionally added by npm during the install process.

How this vulnerability affects bitcoinjs-lib:

The valibot library is used in bitcoinjs-lib for input validation (schema validation). The vulnerability GHSA-vqpr-j7v3-hqw9) is a ReDoS (Regular Expression Denial of Service) issue in valibot's EMOJI_REGEX pattern.

While bitcoinjs-lib may not directly use emoji validation, the vulnerable regex pattern exists in the valibot package regardless. An attacker could potentially:

  1. Craft malicious input strings that trigger catastrophic backtracking in the regex
  2. Cause the validation to hang or consume excessive CPU resources
  3. Lead to denial of service if validation is performed on untrusted input

Bumping to valibot v1.2.0 fixes this by using a safer regex implementation that doesn't suffer from exponential backtracking.

The fix is a low-risk dependency bump that addresses a potential DoS vector without any breaking changes to the API.

@junderw
Copy link
Member

junderw commented Jan 2, 2026

ahhh ok I see. The gitdiff problem was caused by the update to valibot.

Please run npm run build locally and commit the changes to the *.d.ts files as well.

Thanks.

I am still not sure if this is a vulnerability in all string validations or if it's just a vulnerability in a specific validation that we don't use.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@junderw junderw Awaiting requested review from junderw

1 more reviewer

@jasonandjay jasonandjay jasonandjay approved these changes

Reviewers whose approvals may not affect merge requirements

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Security: transitive ReDoS vulnerability via valibot dependency

3 participants

@DanielDerefaka @jasonandjay @junderw