Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
4Blast Radius
ecosystem impact- 15 npm packages depend on youtube-regex (5 direct, 10 indirect)
Ecosystem-wide dependent count for version 1.0.5.
DescriptionCVE.org
Regex Denial of Service in youtube-regex npm package through version 1.0.5.
AnalysisAI
Regular expression denial of service (ReDoS) in youtube-regex npm package versions ≤1.0.5 allows remote unauthenticated attackers to cause service-level availability degradation through network-delivered crafted inputs. Attackers can trigger catastrophic backtracking in the regex parser, causing CPU exhaustion and application hang. SSVC framework confirms proof-of-concept code exists with automatable exploitation capability. While CVSS rates this high severity (7.5) for availability impact, real-world risk depends on whether the vulnerable package processes untrusted user input in production environments.
Technical ContextAI
The youtube-regex npm package provides regular expression patterns for validating and extracting YouTube URLs. The vulnerability stems from CWE-400 (Uncontrolled Resource Consumption) via Regular Expression Denial of Service (ReDoS). ReDoS occurs when regex engines using backtracking algorithms encounter patterns with nested quantifiers or alternations that create exponential time complexity on specially crafted inputs. The vulnerable regex pattern in youtube-regex versions through 1.0.5 contains constructs susceptible to catastrophic backtracking. When processing malicious input strings, the JavaScript regex engine enters a state where matching time grows exponentially with input length, consuming CPU resources until timeouts occur or the application becomes unresponsive. This is a client-side vulnerability in Node.js applications that use this package for URL validation or extraction.
RemediationAI
Upgrade youtube-regex to a version newer than 1.0.5 if available by checking npm registry for patched releases addressing the ReDoS vulnerability. As of this analysis, no specific patched version number is confirmed from provided data sources - verify current version status at npm and the GitHub repository regexhq/youtube-regex. If no patch exists, implement compensating controls: (1) Add input length validation limiting processed strings to maximum expected YouTube URL length (~100 characters) before passing to youtube-regex functions, trading false negatives for DoS protection; (2) Implement request-level timeout enforcement (e.g., 100ms) around regex operations to prevent resource exhaustion, though this may cause legitimate validation failures on slower systems; (3) Apply rate limiting on endpoints processing user-supplied URLs to prevent automated exploitation; (4) Consider replacing youtube-regex with alternative YouTube URL validation libraries that use non-backtracking algorithms or URL parsing APIs. Review application logs for abnormal CPU spikes correlated with URL validation operations as potential exploitation indicators. Track GitHub issue https://github.com/regexhq/youtube-regex/issues/14 and POC at https://gist.github.com/6en6ar/66ef99397068c0a5e0d963bc47d7172c for upstream remediation guidance.
FortiOS and FortiProxy contain an authentication bypass via the Node.js websocket module allowing unauthenticated remote
Eval injection vulnerability in the internals.batch function in lib/batch.js in the bassmaster plugin before 1.5.2 for t
Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig paramete
Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was inc
An issue was discovered in the node-serialize package 0.0.4 for Node.js. Rated critical severity (CVSS 9.8), this vulner
Directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary fi
Multiple SQL injection vulnerabilities in the Manage Accounts page in the AccountManagement.asmx service in the Solarwin
The JS-YAML module before 2.0.5 for Node.js parses input without properly considering the unsafe !!js/function tag, whic
Directory traversal vulnerability in lib/app/index.js in Geddy before 13.0.8 for Node.js allows remote attackers to read
Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio
Eval injection vulnerability in index.js in the syntax-error package before 1.1.1 for Node.js 0.10.x, as used in IBM Rat
The HTTP server in Node.js 0.10.x before 0.10.21 and 0.8.x before 0.8.26 allows remote attackers to cause a denial of se
Same weakness CWE-400 – Uncontrolled Resource Consumption
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-209731
GHSA-vpxx-h23g-gxh2