| Titel | Zod- jsVideoUrlParser 0.1.3 to 0.5.1 Inefficient Regular Expression Complexity |
|---|
| Beschreibung | A Regular Expression Denial of Service (ReDoS) vulnerability exists through version 0.1.3 to 0.5.1. The getTime() function in lib/util.js (line 97) uses the regular expression /^(\d+[smhdw]?)+$/ to validate timestamp parameters parsed from video URLs. Due to nested quantifiers in the pattern, a crafted string consisting of a long sequence of digits followed by a single non-matching character causes catastrophic backtracking with O(2^n) time complexity. An unauthenticated remote attacker can trigger this condition by supplying a malicious t or start URL parameter to any application that calls urlParser.parse(), causing the Node.js event loop to block for several seconds per request and resulting in denial of service.
more details: https://github.com/Zod-/jsVideoUrlParser/issues/121 |
|---|
| Quelle | ⚠️ https://github.com/Zod-/jsVideoUrlParser/issues/121 |
|---|
| Benutzer | ybdesire (UID 83239) |
|---|
| Einreichung | 28.03.2026 13:28 (vor 16 Tagen) |
|---|
| Moderieren | 09.04.2026 14:23 (12 days later) |
|---|
| Status | Akzeptiert |
|---|
| VulDB Eintrag | 356540 [Zod jsVideoUrlParser bis 0.5.1 lib/util.js getTime timestamp Denial of Service] |
|---|
| Punkte | 20 |
|---|