| タイトル | Zod- jsVideoUrlParser 0.1.3 to 0.5.1 Inefficient Regular Expression Complexity |
|---|
| 説明 | A Regular Expression Denial of Service (ReDoS) vulnerability exists through version 0.1.3 to 0.5.1. The getTime() function in lib/util.js (line 97) uses the regular expression /^(\d+[smhdw]?)+$/ to validate timestamp parameters parsed from video URLs. Due to nested quantifiers in the pattern, a crafted string consisting of a long sequence of digits followed by a single non-matching character causes catastrophic backtracking with O(2^n) time complexity. An unauthenticated remote attacker can trigger this condition by supplying a malicious t or start URL parameter to any application that calls urlParser.parse(), causing the Node.js event loop to block for several seconds per request and resulting in denial of service.
more details: https://github.com/Zod-/jsVideoUrlParser/issues/121 |
|---|
| ソース | ⚠️ https://github.com/Zod-/jsVideoUrlParser/issues/121 |
|---|
| ユーザー | ybdesire (UID 83239) |
|---|
| 送信 | 2026年03月28日 13:28 (25 日 ago) |
|---|
| モデレーション | 2026年04月09日 14:23 (12 days later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 356540 [Zod jsVideoUrlParser 迄 0.5.1 lib/util.js getTime timestamp サービス拒否] |
|---|
| ポイント | 20 |
|---|