All versions of package is-user-valid are vulnerable to LDAP Injection which can lead to either authentication bypass or information exposure.