Skip to main content

youtube-regex EUVDEUVD-2025-209731

| CVE-2025-65122 HIGH
Uncontrolled Resource Consumption (CWE-400)
2026-05-07 mitre GHSA-vpxx-h23g-gxh2
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 07, 2026 - 18:00 vuln.today
CVSS changed
May 07, 2026 - 16:22 NVD
7.5 (HIGH)
CVE Published
May 07, 2026 - 00:00 nvd
UNKNOWN (no severity yet)
CVE Published
May 07, 2026 - 00:00 nvd
HIGH 7.5

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 15 npm packages depend on youtube-regex (5 direct, 10 indirect)

Ecosystem-wide dependent count for version 1.0.5.

DescriptionCVE.org

Regex Denial of Service in youtube-regex npm package through version 1.0.5.

AnalysisAI

Regular expression denial of service (ReDoS) in youtube-regex npm package versions ≤1.0.5 allows remote unauthenticated attackers to cause service-level availability degradation through network-delivered crafted inputs. Attackers can trigger catastrophic backtracking in the regex parser, causing CPU exhaustion and application hang. SSVC framework confirms proof-of-concept code exists with automatable exploitation capability. While CVSS rates this high severity (7.5) for availability impact, real-world risk depends on whether the vulnerable package processes untrusted user input in production environments.

Technical ContextAI

The youtube-regex npm package provides regular expression patterns for validating and extracting YouTube URLs. The vulnerability stems from CWE-400 (Uncontrolled Resource Consumption) via Regular Expression Denial of Service (ReDoS). ReDoS occurs when regex engines using backtracking algorithms encounter patterns with nested quantifiers or alternations that create exponential time complexity on specially crafted inputs. The vulnerable regex pattern in youtube-regex versions through 1.0.5 contains constructs susceptible to catastrophic backtracking. When processing malicious input strings, the JavaScript regex engine enters a state where matching time grows exponentially with input length, consuming CPU resources until timeouts occur or the application becomes unresponsive. This is a client-side vulnerability in Node.js applications that use this package for URL validation or extraction.

RemediationAI

Upgrade youtube-regex to a version newer than 1.0.5 if available by checking npm registry for patched releases addressing the ReDoS vulnerability. As of this analysis, no specific patched version number is confirmed from provided data sources - verify current version status at npm and the GitHub repository regexhq/youtube-regex. If no patch exists, implement compensating controls: (1) Add input length validation limiting processed strings to maximum expected YouTube URL length (~100 characters) before passing to youtube-regex functions, trading false negatives for DoS protection; (2) Implement request-level timeout enforcement (e.g., 100ms) around regex operations to prevent resource exhaustion, though this may cause legitimate validation failures on slower systems; (3) Apply rate limiting on endpoints processing user-supplied URLs to prevent automated exploitation; (4) Consider replacing youtube-regex with alternative YouTube URL validation libraries that use non-backtracking algorithms or URL parsing APIs. Review application logs for abnormal CPU spikes correlated with URL validation operations as potential exploitation indicators. Track GitHub issue https://github.com/regexhq/youtube-regex/issues/14 and POC at https://gist.github.com/6en6ar/66ef99397068c0a5e0d963bc47d7172c for upstream remediation guidance.

CVE-2024-55591 CRITICAL POC
9.8 Jan 14

FortiOS and FortiProxy contain an authentication bypass via the Node.js websocket module allowing unauthenticated remote

CVE-2014-7205 CRITICAL POC
10.0 Oct 08

Eval injection vulnerability in the internals.batch function in lib/batch.js in the bassmaster plugin before 1.5.2 for t

CVE-2025-59528 CRITICAL POC
10.0 Sep 22

Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig paramete

CVE-2017-14849 HIGH POC
7.5 Sep 28

Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was inc

CVE-2017-5941 CRITICAL POC
9.8 Feb 09

An issue was discovered in the node-serialize package 0.0.4 for Node.js. Rated critical severity (CVSS 9.8), this vulner

CVE-2014-3744 HIGH POC
7.5 Oct 23

Directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary fi

CVE-2014-9566 HIGH POC
7.5 Mar 10

Multiple SQL injection vulnerabilities in the Manage Accounts page in the AccountManagement.asmx service in the Solarwin

CVE-2013-4660 MEDIUM POC
6.8 Jun 28

The JS-YAML module before 2.0.5 for Node.js parses input without properly considering the unsafe !!js/function tag, whic

CVE-2015-5688 MEDIUM POC
5.0 Sep 04

Directory traversal vulnerability in lib/app/index.js in Geddy before 13.0.8 for Node.js allows remote attackers to read

CVE-2026-45321 CRITICAL POC
9.6 May 12

Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio

CVE-2014-7192 CRITICAL POC
10.0 Dec 11

Eval injection vulnerability in index.js in the syntax-error package before 1.1.1 for Node.js 0.10.x, as used in IBM Rat

CVE-2013-4450 MEDIUM POC
5.0 Oct 21

The HTTP server in Node.js 0.10.x before 0.10.21 and 0.8.x before 0.8.26 allows remote attackers to cause a denial of se

Share

EUVD-2025-209731 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy