CVE-2026-5986: Zod jsVideoUrlParser vulnerable to ReDoS in util.js

April 10, 2026

A weakness has been identified in Zod jsVideoUrlParser up to 0.5.1. The impacted element is the function getTime in the library lib/util.js. This manipulation of the argument timestamp causes inefficient regular expression complexity. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.

References

github.com/Zod-/jsVideoUrlParser
github.com/Zod-/jsVideoUrlParser/issues/121
github.com/Zod-/jsVideoUrlParser/issues/121
github.com/advisories/GHSA-8fgx-wgvr-pcx8
nvd.nist.gov/vuln/detail/CVE-2026-5986
vuldb.com/submit/791911
vuldb.com/vuln/356540
vuldb.com/vuln/356540/cti

Code Behaviors & Features

Detect and mitigate CVE-2026-5986 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →