Skip to main content

Zod CVE-2026-5986

| EUVDEUVD-2026-21236 MEDIUM
Uncontrolled Resource Consumption (CWE-400)
2026-04-09 cna@vuldb.com GHSA-8fgx-wgvr-pcx8
5.5
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
EUVD ID Assigned
Apr 09, 2026 - 23:22 euvd
EUVD-2026-21236
Analysis Generated
Apr 09, 2026 - 23:22 vuln.today
CVE Published
Apr 09, 2026 - 23:17 nvd
MEDIUM 5.5

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 188 npm packages depend on js-video-url-parser (15 direct, 173 indirect)

Ecosystem-wide dependent count for version 0.5.1.

DescriptionCVE.org

A weakness has been identified in Zod jsVideoUrlParser up to 0.5.1. The impacted element is the function getTime in the library lib/util.js. This manipulation of the argument timestamp causes inefficient regular expression complexity. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.

AnalysisAI

Regular expression denial of service (ReDoS) in jsVideoUrlParser library version 0.5.1 and earlier allows remote attackers to cause application availability loss by supplying a malicious timestamp argument to the getTime function in lib/util.js. The vulnerability exhibits inefficient regular expression complexity that can be triggered without authentication or user interaction. Publicly available exploit code exists, though the maintainer has not yet responded to early notification of the issue.

Technical ContextAI

The vulnerability resides in the getTime function within jsVideoUrlParser's lib/util.js, which processes timestamp arguments using a regular expression susceptible to catastrophic backtracking (CWE-400). When an attacker crafts a specially designed timestamp string, the regex engine enters a state of exponential backtracking, consuming CPU resources and causing denial of service. jsVideoUrlParser is a JavaScript library used to parse and extract video information from video platform URLs; the timestamp parsing function is typically invoked during URL processing workflows. The underlying issue is improper regex design that fails to handle input efficiently, allowing attackers to exploit algorithmic complexity rather than executing arbitrary code.

RemediationAI

Upgrade jsVideoUrlParser to a patched version released after addressing the ReDoS vulnerability. Check the project repository at https://github.com/Zod-/jsVideoUrlParser/issues/121 for available updates and pull requests that fix the inefficient regex in lib/util.js. If no patched release is available from the maintainer, consider using an alternative video URL parsing library or implementing input validation and sanitization to reject malformed timestamp arguments before they reach the getTime function. Apply strict timeout limits to regex operations if remaining on vulnerable versions temporarily.

Share

CVE-2026-5986 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy