Description
Regex Denial of Service in youtube-regex npm package through version 1.0.5.
Published: 2026-05-07
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows an attacker to trigger a denial of service by passing specially crafted input to the youtube-regex npm package. The regex engine performs catastrophic backtracking, consuming excessive CPU and memory. This leads to application hang or crash, impacting availability of services that rely on the module.

Affected Systems

The npm module youtube-regex, versions 1.0.5 and below, is affected. The vendor is not specified, but the package is widely used in Node.js projects that parse YouTube URLs.

Risk and Exploitability

The CVSS score of 7.5 indicates a moderate to high severity. The EPSS score is not available, but the vulnerability is classified as a denial‑of‑service. It is not listed in CISA KEV, so no known exploits are currently in the public literature. However, the lack of remediation guidance and the potential for resource exhaustion mean that an application that depends on this module is at moderate to high risk if the vulnerable version is in use. The attack likely requires sending crafted input to the regex function, which can be achieved by any user who can influence the input data for YouTube URL parsing.

Generated by OpenCVE AI on May 7, 2026 at 17:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade youtube-regex to version 1.0.6 or later, if available.
  • Apply input sanitization to reject malformed URLs before passing them to the regex.
  • Consider replacing youtube-regex with an alternative library that has been validated against ReDoS vulnerabilities.

Generated by OpenCVE AI on May 7, 2026 at 17:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 07 May 2026 17:45:00 +0000

Type Values Removed Values Added
Title Regex Denial of Service in youtube-regex npm package through version 1.0.5

Thu, 07 May 2026 16:45:00 +0000

Type Values Removed Values Added
Title Regex Denial of Service in youtube-regex npm package through version 1.0.5
Weaknesses CWE-770

Thu, 07 May 2026 16:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-400
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 07 May 2026 15:30:00 +0000

Type Values Removed Values Added
Description Regex Denial of Service in youtube-regex npm package through version 1.0.5.
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-07T15:39:58.691Z

Reserved: 2025-11-18T00:00:00.000Z

Link: CVE-2025-65122

cve-icon Vulnrichment

Updated: 2026-05-07T15:39:54.771Z

cve-icon NVD

Status : Received

Published: 2026-05-07T16:16:17.810

Modified: 2026-05-07T16:16:17.810

Link: CVE-2025-65122

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T17:30:25Z

Weaknesses