{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5986", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-04-09T12:23:35.990Z", "datePublished": "2026-04-09T22:30:14.639Z", "dateUpdated": "2026-04-09T22:30:14.639Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-09T22:30:14.639Z"}, "title": "Zod jsVideoUrlParser util.js getTime redos", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-1333", "lang": "en", "description": "Inefficient Regular Expression Complexity"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-400", "lang": "en", "description": "Resource Consumption"}]}], "affected": [{"vendor": "Zod", "product": "jsVideoUrlParser", "versions": [{"version": "0.5.0", "status": "affected"}, {"version": "0.5.1", "status": "affected"}]}], "descriptions": [{"lang": "en", "value": "A weakness has been identified in Zod jsVideoUrlParser up to 0.5.1. The impacted element is the function getTime in the library lib/util.js. This manipulation of the argument timestamp causes inefficient regular expression complexity. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P/RL:X/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 5.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P/RL:X/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 5, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-04-09T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-04-09T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-04-09T14:28:41.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "ybdesire (VulDB User)", "type": "reporter"}, {"lang": "en", "value": "VulDB CNA Team", "type": "coordinator"}], "references": [{"url": "https://vuldb.com/vuln/356540", "name": "VDB-356540 | Zod jsVideoUrlParser util.js getTime redos", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/356540/cti", "name": "VDB-356540 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/791911", "name": "Submit #791911 | Zod- jsVideoUrlParser 0.1.3 to 0.5.1 Inefficient Regular Expression Complexity", "tags": ["third-party-advisory"]}, {"url": "https://github.com/Zod-/jsVideoUrlParser/issues/121", "tags": ["issue-tracking"]}, {"url": "https://github.com/Zod-/jsVideoUrlParser/issues/121#issue-4159661957", "tags": ["exploit", "issue-tracking"]}]}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A weakness has been identified in Zod jsVideoUrlParser up to 0.5.1. The impacted element is the function getTime in the library lib/util.js. This manipulation of the argument timestamp causes inefficient regular expression complexity. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet."}], "id": "CVE-2026-5986", "lastModified": "2026-04-09T23:17:01.920", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-04-09T23:17:01.920", "references": [{"source": "cna@vuldb.com", "url": "https://github.com/Zod-/jsVideoUrlParser/issues/121"}, {"source": "cna@vuldb.com", "url": "https://github.com/Zod-/jsVideoUrlParser/issues/121#issue-4159661957"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/submit/791911"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/356540"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/356540/cti"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}, {"lang": "en", "value": "CWE-1333"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "0.5.0"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "0.5.1"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "jsVideoUrlParser", "source": "cna", "vendor": "Zod"}, "product": "jsvideourlparser", "vendor": "zod"}], "analysis": {"en": {"generated_at": "2026-04-09T23:20:59.878438+00:00", "value": {"mitigation_remediation": ["Apply the latest release of jsVideoUrlParser, if a patched version is available", "If an update is not available, vet inputs to the getTime function, limit the complexity of accepted timestamp patterns, or add input length checks to reduce regex cost", "Implement rate limiting or resource accounting around calls to getTime to prevent a single user from overwhelming the system", "Continuously monitor server CPU usage and application responsiveness to detect anomalous spikes caused by potential DoS attempts", "Contact the package maintainer to encourage a formal patch and request a known fix or advisory"], "summary": {"action": "Patch", "impact": "Denial of Service via Regular Expression DoS in jsVideoUrlParser's getTime function"}, "threat_synthesis": {"affected_systems": "The vulnerability affects all installations of Zod jsVideoUrlParser up to version 0.5.1. No specific build or distribution details are provided beyond the product name and maximum affected version. Users employing this library within their codebases are at risk.", "description_and_impact": "A flaw in the getTime function of Zod jsVideoUrlParser allows an attacker to craft input that causes the regular expression to become computationally expensive, resulting in a denial of service. The weakness is a classic example of regular expression denial of service (CWE-1333) and uncontrolled resource consumption (CWE-400). If exploited, the application will consume excessive CPU cycles, potentially leading to degraded performance or service unavailability for legitimate users.", "risk_and_exploitability": "The CVSS score is 6.9, indicating moderate severity, and the vulnerability can be triggered remotely by an attacker sending specially crafted video URL timestamps to the getTime routine. EPSS data is not available, and the vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog. The attack vector is presumed to be remote, as the function can be accessed via normal application inputs."}}}}, "created": "2026-04-10T08:36:38.207889+00:00", "updated": "2026-04-10T09:27:36.362499+00:00", "vendors": ["zod", "zod$PRODUCT$jsvideourlparser"]}