youtube-regex npm Package Regex Denial-of-Service Vulnerability

A regex denial-of-service vulnerability has been identified in the youtube-regex npm package, affecting versions through 1.0.5. The issue arises from a regex pattern in the package that, when subjected to large input, causes significant processing delays due to excessive backtracking. This vulnerability can be exploited by sending a carefully crafted string that exploits the regex's backtracking behavior, leading to increased processing time and potential performance degradation.

Impact

Exploitation of this vulnerability causes a denial-of-service condition by significantly slowing down the processing time of inputs, with reported delays of over 2.3 seconds for large payloads compared to just over 1 second for smaller ones.

Reproduction

To reproduce this vulnerability, require the youtube-regex package in a Node.js environment. Then, create a payload that includes a YouTube URL pattern, specifically 'watch?m', repeated 30,000 times, followed by a tab character. Use this payload to test the youtube-regex function. The performance can be measured to demonstrate the increased processing time caused by the vulnerability.