| Title | Zod- jsVideoUrlParser 0.1.3 to 0.5.1 Inefficient Regular Expression Complexity |
|---|
| Description | A Regular Expression Denial of Service (ReDoS) vulnerability exists through version 0.1.3 to 0.5.1. The getTime() function in lib/util.js (line 97) uses the regular expression /^(\d+[smhdw]?)+$/ to validate timestamp parameters parsed from video URLs. Due to nested quantifiers in the pattern, a crafted string consisting of a long sequence of digits followed by a single non-matching character causes catastrophic backtracking with O(2^n) time complexity. An unauthenticated remote attacker can trigger this condition by supplying a malicious t or start URL parameter to any application that calls urlParser.parse(), causing the Node.js event loop to block for several seconds per request and resulting in denial of service.
more details: https://github.com/Zod-/jsVideoUrlParser/issues/121 |
|---|
| Source | ⚠️ https://github.com/Zod-/jsVideoUrlParser/issues/121 |
|---|
| User | ybdesire (UID 83239) |
|---|
| Submission | 03/28/2026 13:28 (13 days ago) |
|---|
| Moderation | 04/09/2026 14:23 (12 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 356540 [Zod jsVideoUrlParser up to 0.5.1 lib/util.js getTime timestamp redos] |
|---|
| Points | 20 |
|---|