CVE-2026-5986: Inefficient Regular Expression Complexity in Zod jsVideoUrlParser
CVE-2026-5986 is a medium severity vulnerability in the Zod jsVideoUrlParser library versions 0. 5. 0 and 0. 5. 1. The issue arises from inefficient regular expression complexity in the getTime function within lib/util. js, triggered by manipulation of the timestamp argument. This vulnerability can be exploited remotely and the exploit code is publicly available. The project maintainers have been informed but have not yet responded or provided a fix. No official patch or remediation guidance is currently available.
AI Analysis
Technical Summary
This vulnerability involves inefficient regular expression complexity in the getTime function of the Zod jsVideoUrlParser library (up to version 0.5.1). By manipulating the timestamp argument, an attacker can cause excessive resource consumption due to the inefficient regex processing. The vulnerability is remotely exploitable without authentication or user interaction. Although the issue was reported early, the vendor has not issued a fix or mitigation. The CVSS 4.0 base score is 6.9 (medium severity), reflecting the network attack vector, low attack complexity, no privileges or user interaction required, and limited impact on availability.
Potential Impact
An attacker can remotely trigger inefficient regular expression processing, potentially leading to denial of service conditions by exhausting system resources. There is no indication of data confidentiality or integrity impact. The exploit is publicly available, increasing the risk of exploitation. However, no known exploits in the wild have been reported to date.
Mitigation Recommendations
No official fix or patch is currently available from the vendor. Users should monitor the vendor's channels for updates or patches. Until a fix is released, consider applying input validation or limiting the size and complexity of timestamp inputs to reduce the risk of triggering the vulnerability. Avoid exposing the vulnerable function to untrusted inputs where possible.
CVE-2026-5986: Inefficient Regular Expression Complexity in Zod jsVideoUrlParser
Description
CVE-2026-5986 is a medium severity vulnerability in the Zod jsVideoUrlParser library versions 0. 5. 0 and 0. 5. 1. The issue arises from inefficient regular expression complexity in the getTime function within lib/util. js, triggered by manipulation of the timestamp argument. This vulnerability can be exploited remotely and the exploit code is publicly available. The project maintainers have been informed but have not yet responded or provided a fix. No official patch or remediation guidance is currently available.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability involves inefficient regular expression complexity in the getTime function of the Zod jsVideoUrlParser library (up to version 0.5.1). By manipulating the timestamp argument, an attacker can cause excessive resource consumption due to the inefficient regex processing. The vulnerability is remotely exploitable without authentication or user interaction. Although the issue was reported early, the vendor has not issued a fix or mitigation. The CVSS 4.0 base score is 6.9 (medium severity), reflecting the network attack vector, low attack complexity, no privileges or user interaction required, and limited impact on availability.
Potential Impact
An attacker can remotely trigger inefficient regular expression processing, potentially leading to denial of service conditions by exhausting system resources. There is no indication of data confidentiality or integrity impact. The exploit is publicly available, increasing the risk of exploitation. However, no known exploits in the wild have been reported to date.
Mitigation Recommendations
No official fix or patch is currently available from the vendor. Users should monitor the vendor's channels for updates or patches. Until a fix is released, consider applying input validation or limiting the size and complexity of timestamp inputs to reduce the risk of triggering the vulnerability. Avoid exposing the vulnerable function to untrusted inputs where possible.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- VulDB
- Date Reserved
- 2026-04-09T12:23:35.990Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69d82d481cc7ad14da2fc1d9
Added to database: 4/9/2026, 10:50:48 PM
Last enriched: 4/9/2026, 11:05:43 PM
Last updated: 4/9/2026, 11:58:50 PM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.