Skip to main content

youtube-regex CVE-2025-65122

| EUVD-2025-209731 HIGH
Uncontrolled Resource Consumption (CWE-400)
2026-05-07 mitre GHSA-vpxx-h23g-gxh2
Denial Of Service Node.js
7.5
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 07, 2026 - 18:00 vuln.today
CVSS changed
May 07, 2026 - 16:22 NVD
7.5 (HIGH)
CVE Published
May 07, 2026 - 00:00 nvd
UNKNOWN (no severity yet)
CVE Published
May 07, 2026 - 00:00 nvd
HIGH 7.5

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 15 npm packages depend on youtube-regex (5 direct, 10 indirect)

Ecosystem-wide dependent count for version 1.0.5.

DescriptionNVD

Regex Denial of Service in youtube-regex npm package through version 1.0.5.

AnalysisAI

Regular expression denial of service (ReDoS) in youtube-regex npm package versions ≤1.0.5 allows remote unauthenticated attackers to cause service-level availability degradation through network-delivered crafted inputs. Attackers can trigger catastrophic backtracking in the regex parser, causing CPU exhaustion and application hang. SSVC framework confirms proof-of-concept code exists with automatable exploitation capability. While CVSS rates this high severity (7.5) for availability impact, real-world risk depends on whether the vulnerable package processes untrusted user input in production environments.

Technical ContextAI

The youtube-regex npm package provides regular expression patterns for validating and extracting YouTube URLs. The vulnerability stems from CWE-400 (Uncontrolled Resource Consumption) via Regular Expression Denial of Service (ReDoS). ReDoS occurs when regex engines using backtracking algorithms encounter patterns with nested quantifiers or alternations that create exponential time complexity on specially crafted inputs. The vulnerable regex pattern in youtube-regex versions through 1.0.5 contains constructs susceptible to catastrophic backtracking. When processing malicious input strings, the JavaScript regex engine enters a state where matching time grows exponentially with input length, consuming CPU resources until timeouts occur or the application becomes unresponsive. This is a client-side vulnerability in Node.js applications that use this package for URL validation or extraction.

RemediationAI

Upgrade youtube-regex to a version newer than 1.0.5 if available by checking npm registry for patched releases addressing the ReDoS vulnerability. As of this analysis, no specific patched version number is confirmed from provided data sources - verify current version status at npm and the GitHub repository regexhq/youtube-regex. If no patch exists, implement compensating controls: (1) Add input length validation limiting processed strings to maximum expected YouTube URL length (~100 characters) before passing to youtube-regex functions, trading false negatives for DoS protection; (2) Implement request-level timeout enforcement (e.g., 100ms) around regex operations to prevent resource exhaustion, though this may cause legitimate validation failures on slower systems; (3) Apply rate limiting on endpoints processing user-supplied URLs to prevent automated exploitation; (4) Consider replacing youtube-regex with alternative YouTube URL validation libraries that use non-backtracking algorithms or URL parsing APIs. Review application logs for abnormal CPU spikes correlated with URL validation operations as potential exploitation indicators. Track GitHub issue https://github.com/regexhq/youtube-regex/issues/14 and POC at https://gist.github.com/6en6ar/66ef99397068c0a5e0d963bc47d7172c for upstream remediation guidance.

Share

CVE-2025-65122 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy