Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3Blast Radius
ecosystem impact- 188 npm packages depend on js-video-url-parser (15 direct, 173 indirect)
Ecosystem-wide dependent count for version 0.5.1.
DescriptionCVE.org
A weakness has been identified in Zod jsVideoUrlParser up to 0.5.1. The impacted element is the function getTime in the library lib/util.js. This manipulation of the argument timestamp causes inefficient regular expression complexity. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.
AnalysisAI
Regular expression denial of service (ReDoS) in jsVideoUrlParser library version 0.5.1 and earlier allows remote attackers to cause application availability loss by supplying a malicious timestamp argument to the getTime function in lib/util.js. The vulnerability exhibits inefficient regular expression complexity that can be triggered without authentication or user interaction. Publicly available exploit code exists, though the maintainer has not yet responded to early notification of the issue.
Technical ContextAI
The vulnerability resides in the getTime function within jsVideoUrlParser's lib/util.js, which processes timestamp arguments using a regular expression susceptible to catastrophic backtracking (CWE-400). When an attacker crafts a specially designed timestamp string, the regex engine enters a state of exponential backtracking, consuming CPU resources and causing denial of service. jsVideoUrlParser is a JavaScript library used to parse and extract video information from video platform URLs; the timestamp parsing function is typically invoked during URL processing workflows. The underlying issue is improper regex design that fails to handle input efficiently, allowing attackers to exploit algorithmic complexity rather than executing arbitrary code.
RemediationAI
Upgrade jsVideoUrlParser to a patched version released after addressing the ReDoS vulnerability. Check the project repository at https://github.com/Zod-/jsVideoUrlParser/issues/121 for available updates and pull requests that fix the inefficient regex in lib/util.js. If no patched release is available from the maintainer, consider using an alternative video URL parsing library or implementing input validation and sanitization to reject malformed timestamp arguments before they reach the getTime function. Apply strict timeout limits to regex operations if remaining on vulnerable versions temporarily.
Same weakness CWE-400 – Uncontrolled Resource Consumption
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-21236
GHSA-8fgx-wgvr-pcx8