In the case of a confirmed security issue, only the current version of validator is guaranteed to be patched.
Please don't disclose security-related issues publicly.
Report the security issue to the Node.js Security Working Group through the HackerOne program for ecosystem modules on npm, or to Snyk Security Team. They will help triage the security issue and work with all involved parties to remediate and release a fix.