ReDoS Vulnerability in Valibot (via a deprecated dependency @gcornut/valibot-json-schema)

[rxdiscovery]

Hi 👋,

I would like to report a security vulnerability affecting your project through a transitive dependency, one of which is now deprecated.

---

📌 Vulnerability Details

• Affected package: valibot
• Vulnerable versions: >=0.31.0 <1.2.0
• Severity: High
• Type: ReDoS (Regular Expression Denial of Service)
• Cause: Vulnerable EMOJI_REGEX
• Official advisory: GHSA-vqpr-j7v3-hqw9

📦 Dependency chain involved

sveltekit-superforms → @gcornut/valibot-json-schema (deprecated) → valibot

⚠️ Impact

An attacker can exploit the vulnerable regex to trigger a Denial of Service (ReDoS) via specially crafted input.

🛠 Recommendation

• Update valibot to ≥ 1.2.0 or any version containing the fix.
• Since @gcornut/valibot-json-schema is deprecated, consider replacing it with a maintained alternative or a suitable JSON Schema mapping solution.
  (The official repo indicates the deprecation: https://github.com/gcornut/valibot-json-schema)

---

🙏 Thanks

Thank you for your work on this project..

[kass-kass]

@ciscoheat I hope it's possible to take a look at this issue as it's a high-level vulnerability and comes from using a package that has been deprecated for over a year.

I have looked at the implementation of the package in question and tried a simple fix, but seems like the replacement recommended by the package author is not a drop-in replacement, so some tests end up failing as a result. In any case I hope it could be helpful a bit:
#668