Valibot is a schema-based data validation library developed by open-circle, widely used to ensure data integrity in applications. Versions 0.31.0 through 1.1.0 contain a vulnerability identified as CVE-2025-66020, classified under CWE-1333 (Inefficient Regular Expression Complexity). The vulnerability stems from the EMOJI_REGEX pattern used in the emoji validation action, which is susceptible to Regular Expression Denial of Service (ReDoS). A maliciously crafted input string, typically fewer than 100 characters, can cause catastrophic backtracking in the regex engine, leading to excessive CPU usage and effectively a denial of service condition for the host application. This attack vector requires no privileges or user interaction and can be triggered remotely by submitting specially crafted input to any service relying on the vulnerable valibot versions for emoji validation. The vulnerability has been assigned a CVSS v3.1 score of 7.5 (high severity), reflecting its network attack vector, low attack complexity, no privileges or user interaction required, and impact limited to availability (denial of service). The issue was publicly disclosed on November 26, 2025, and patched in valibot version 1.2.0. No known exploits are currently reported in the wild, but the simplicity of the attack and the widespread use of valibot in JavaScript/Node.js environments make it a credible threat. Organizations using valibot for input validation, especially those processing emoji or user-generated content, should consider this vulnerability critical to address to avoid service disruptions.

For European organizations, the primary impact of CVE-2025-66020 is service availability degradation or denial due to excessive CPU consumption triggered by crafted input. This can lead to application downtime, degraded user experience, and potential cascading failures in dependent systems. Organizations providing web services, APIs, or platforms that validate user input with valibot are at risk of targeted or opportunistic ReDoS attacks, which could be leveraged to disrupt business operations or cause reputational damage. In sectors such as finance, healthcare, and critical infrastructure, where availability is paramount, this vulnerability could have severe operational consequences. Additionally, the attack could be used as a smokescreen for other malicious activities by distracting security teams. Although confidentiality and integrity are not directly impacted, the denial of service effect can indirectly affect business continuity and compliance with service level agreements (SLAs).

The most effective mitigation is to upgrade all instances of valibot to version 1.2.0 or later, where the EMOJI_REGEX vulnerability has been patched. Organizations should audit their codebases and dependencies to identify usage of valibot versions between 0.31.0 and 1.1.0. If immediate upgrading is not feasible, implementing input validation rate limiting and anomaly detection on inputs containing emojis can reduce the risk of exploitation. Additionally, deploying Web Application Firewalls (WAFs) with custom rules to detect and block suspiciously crafted emoji inputs may help mitigate attacks. Developers should avoid relying solely on regex-based emoji validation and consider alternative validation methods that do not involve complex regex patterns. Monitoring CPU usage and application performance metrics for unusual spikes can provide early warning signs of exploitation attempts. Finally, educating development teams about ReDoS risks and secure regex practices will help prevent similar vulnerabilities in the future.