CVE-2026-5986: Inefficient Regular Expression Complexity in Zod jsVideoUrlParser
A weakness has been identified in Zod jsVideoUrlParser up to 0.5.1. The impacted element is the function getTime in the library lib/util.js. This manipulation of the argument timestamp causes inefficient regular expression complexity. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.
AI Analysis
Technical Summary
This vulnerability in Zod jsVideoUrlParser (<= 0.5.1) involves inefficient regular expression complexity in the getTime function of lib/util.js. An attacker can remotely supply crafted input to the timestamp parameter, causing excessive processing time due to the inefficient regex. This can potentially lead to denial of service conditions. The vulnerability has a CVSS 4.0 base score of 6.9 (medium severity) with network attack vector, no privileges or user interaction required, and low impact on availability. The issue was reported early but remains unpatched as of the publication date.
Potential Impact
The impact is primarily a potential denial of service caused by inefficient regular expression processing triggered remotely without authentication or user interaction. There is no indication of code execution, data disclosure, or privilege escalation. The exploit is publicly available, increasing the risk of attempted attacks, but no known exploitation in the wild has been reported.
Mitigation Recommendations
No official patch or remediation is currently available from the vendor. Users should monitor the vendor's communications for updates. Until a fix is released, consider applying input validation or limiting the size and complexity of timestamp inputs to mitigate potential denial of service. Avoid exposing the vulnerable function to untrusted inputs where possible.
CVE-2026-5986: Inefficient Regular Expression Complexity in Zod jsVideoUrlParser
Description
A weakness has been identified in Zod jsVideoUrlParser up to 0.5.1. The impacted element is the function getTime in the library lib/util.js. This manipulation of the argument timestamp causes inefficient regular expression complexity. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability in Zod jsVideoUrlParser (<= 0.5.1) involves inefficient regular expression complexity in the getTime function of lib/util.js. An attacker can remotely supply crafted input to the timestamp parameter, causing excessive processing time due to the inefficient regex. This can potentially lead to denial of service conditions. The vulnerability has a CVSS 4.0 base score of 6.9 (medium severity) with network attack vector, no privileges or user interaction required, and low impact on availability. The issue was reported early but remains unpatched as of the publication date.
Potential Impact
The impact is primarily a potential denial of service caused by inefficient regular expression processing triggered remotely without authentication or user interaction. There is no indication of code execution, data disclosure, or privilege escalation. The exploit is publicly available, increasing the risk of attempted attacks, but no known exploitation in the wild has been reported.
Mitigation Recommendations
No official patch or remediation is currently available from the vendor. Users should monitor the vendor's communications for updates. Until a fix is released, consider applying input validation or limiting the size and complexity of timestamp inputs to mitigate potential denial of service. Avoid exposing the vulnerable function to untrusted inputs where possible.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- VulDB
- Date Reserved
- 2026-04-09T12:23:35.990Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69d82d481cc7ad14da2fc1d9
Added to database: 4/9/2026, 10:50:48 PM
Last enriched: 4/17/2026, 11:50:31 AM
Last updated: 5/25/2026, 2:30:02 AM
Views: 75
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.