Unrestricted Resource Consumption in Node.js (Express) [CVE-2026-5986]

Unrestricted Resource Consumption (DoS) can occur when an attacker feeds crafted input to a parser that performs expensive regex evaluation, consuming CPU and potentially exhausting memory. CVE-2026-5986 documents a weakness in Zod's jsVideoUrlParser up to version 0.5.1, where the affected getTime path leads to inefficient regular expression complexity. The issue is remotely exploitable, and the public exploit demonstrates how such input can cause sustained CPU usage, risking service degradation or outages. This vulnerability is categorized under CWE-400 and CWE-1333, indicating resource exhaustion through abusive inputs. In a Node.js (Express) application, this manifests when a route or service forwards user-provided data to a parsing routine without strict input bounds or safe-guards. An attacker could submit long or specially crafted timestamp-like inputs that trigger backtracking-heavy regex, causing high CPU load on the event loop, blocking other requests, and potentially bringing the server down. Root cause and exploitation details: the vulnerability relies on a timestamp parameter being processed by a regex-based parser. By manipulating the timestamp, the parser's regex can enter a pathological state that requires excessive backtracking and computation, creating a denial of service from a single remote request. Because real-world deployments often expose HTTP endpoints that accept user input for parsing media URLs or timestamps, the risk translates directly to internet-facing Express apps. Remediation focus: upgrade jsVideoUrlParser to a patched version (or apply vendor patch), validate inputs with practical bounds, apply rate limiting and circuit breakers, move heavy parsing to workers or separate services, and enable timeouts. Validate dependencies and monitor for regression. The following code sample shows vulnerable vs fixed patterns and practical Node.js/Express fixes.