Description
A weakness has been identified in Zod jsVideoUrlParser up to 0.5.1. The impacted element is the function getTime in the library lib/util.js. This manipulation of the argument timestamp causes inefficient regular expression complexity. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.
Published: 2026-04-09
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via Regular Expression DoS in jsVideoUrlParser's getTime function
Action: Patch
AI Analysis

Impact

A flaw in the getTime function of Zod jsVideoUrlParser allows an attacker to craft input that causes the regular expression to become computationally expensive, resulting in a denial of service. The weakness is a classic example of regular expression denial of service (CWE-1333) and uncontrolled resource consumption (CWE-400). If exploited, the application will consume excessive CPU cycles, potentially leading to degraded performance or service unavailability for legitimate users.

Affected Systems

The vulnerability affects all installations of Zod jsVideoUrlParser up to version 0.5.1. No specific build or distribution details are provided beyond the product name and maximum affected version. Users employing this library within their codebases are at risk.

Risk and Exploitability

The CVSS score is 6.9, indicating moderate severity, and the vulnerability can be triggered remotely by an attacker sending specially crafted video URL timestamps to the getTime routine. EPSS data is not available, and the vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog. The attack vector is presumed to be remote, as the function can be accessed via normal application inputs.

Generated by OpenCVE AI on April 9, 2026 at 23:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest release of jsVideoUrlParser, if a patched version is available
  • If an update is not available, vet inputs to the getTime function, limit the complexity of accepted timestamp patterns, or add input length checks to reduce regex cost
  • Implement rate limiting or resource accounting around calls to getTime to prevent a single user from overwhelming the system
  • Continuously monitor server CPU usage and application responsiveness to detect anomalous spikes caused by potential DoS attempts
  • Contact the package maintainer to encourage a formal patch and request a known fix or advisory

Generated by OpenCVE AI on April 9, 2026 at 23:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-8fgx-wgvr-pcx8 Zod jsVideoUrlParser vulnerable to ReDoS in util.js
History

Tue, 14 Apr 2026 04:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 10 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Zod
Zod jsvideourlparser
Vendors & Products Zod
Zod jsvideourlparser

Thu, 09 Apr 2026 22:45:00 +0000

Type Values Removed Values Added
Description A weakness has been identified in Zod jsVideoUrlParser up to 0.5.1. The impacted element is the function getTime in the library lib/util.js. This manipulation of the argument timestamp causes inefficient regular expression complexity. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.
Title Zod jsVideoUrlParser util.js getTime redos
Weaknesses CWE-1333
CWE-400
References
Metrics cvssV2_0

{'score': 5, 'vector': 'AV:N/AC:L/Au:N/C:N/I:N/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 5.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Zod Jsvideourlparser
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-14T03:12:25.849Z

Reserved: 2026-04-09T12:23:35.990Z

Link: CVE-2026-5986

cve-icon Vulnrichment

Updated: 2026-04-14T03:12:20.286Z

cve-icon NVD

Status : Deferred

Published: 2026-04-09T23:17:01.920

Modified: 2026-04-24T18:02:46.583

Link: CVE-2026-5986

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:27:36Z

Weaknesses