| Título | Zod- jsVideoUrlParser 0.1.3 to 0.5.1 Inefficient Regular Expression Complexity |
|---|
| Descripción | A Regular Expression Denial of Service (ReDoS) vulnerability exists through version 0.1.3 to 0.5.1. The getTime() function in lib/util.js (line 97) uses the regular expression /^(\d+[smhdw]?)+$/ to validate timestamp parameters parsed from video URLs. Due to nested quantifiers in the pattern, a crafted string consisting of a long sequence of digits followed by a single non-matching character causes catastrophic backtracking with O(2^n) time complexity. An unauthenticated remote attacker can trigger this condition by supplying a malicious t or start URL parameter to any application that calls urlParser.parse(), causing the Node.js event loop to block for several seconds per request and resulting in denial of service.
more details: https://github.com/Zod-/jsVideoUrlParser/issues/121 |
|---|
| Fuente | ⚠️ https://github.com/Zod-/jsVideoUrlParser/issues/121 |
|---|
| Usuario | ybdesire (UID 83239) |
|---|
| Sumisión | 2026-03-28 13:28 (hace 15 días) |
|---|
| Moderación | 2026-04-09 14:23 (12 days later) |
|---|
| Estado | Aceptado |
|---|
| Entrada de VulDB | 356540 [Zod jsVideoUrlParser hasta 0.5.1 lib/util.js getTime timestamp denegación de servicio] |
|---|
| Puntos | 20 |
|---|