video.js icon indicating copy to clipboard operation
video.js copied to clipboard
verified publisher icon videojs

fix: Potential ReDoS Vulnerability or Inefficient Regular Expression in Project: Need for Assessment and Mitigation

Open mmmsssttt404 opened this issue 4 months ago • 2 comments

Description

I am writing to report a potential Regular Expression Denial of Service (ReDoS) vulnerability or Inefficient Regular Expression in the project. When using specially crafted input strings in the context, it may lead to extremely high CPU usage, application freezing, or denial of service attacks.

https://github.com/videojs/video.js/blob/3380d33d6f9c2c22a50b35a759519b90723f33a4/build/jsdoc-typeof-plugin.js#L6

gist:https://gist.github.com/mmmsssttt404/2115fe1bbc0afdecda2128d5084b18a0

屏幕截图 2025-08-19 215415 
1.git clone https://github.com/mmmsssttt404/video.js.git
2.cd video.js
3.npm install
4.npx qunit test/build/jsdoc-typeof-plugin.test.js
5.npm test

Specific Changes proposed

Please list the specific changes involved in this pull request.

change regex to: https://github.com/mmmsssttt404/video.js/blob/d9ae655a3710d42adeb7e7be31fe316515ccf801/build/jsdoc-typeof-plugin.js#L6

then: 屏幕截图 2025-08-20 114636 屏幕截图 2025-08-20 114810

Requirements Checklist

  • [x] Feature implemented / Bug fixed
  • [ ] If necessary, more likely in a feature request than a bug fix
    • [ ] Change has been verified in an actual browser (Chrome, Firefox, IE)
    • [x] Unit Tests updated or fixed
    • [ ] Docs/guides updated
    • [x] Example created (starter template on JSBin)
    • [x] Has no DOM changes which impact accessiblilty or trigger warnings (e.g. Chrome issues tab)
    • [x] Has no changes to JSDoc which cause npm run docs:api to error
  • [ ] Reviewed by Two Core Contributors

mmmsssttt404 avatar Aug 20 '25 04:08 mmmsssttt404