The vulnerability stems from inefficient regular expressions used in numeric value parsing. The parseNumber function contains multiple complex regex patterns (numberRe, base16Re, etc.) that exhibit exponential time complexity for certain malicious inputs. During .proto file parsing, readValue calls parseNumber with attacker-controlled data, making these functions appear in stack traces when processing malicious payloads. The GitHub advisory specifically references parse.js line 27 which contains the regex definitions, and the CVE description confirms the ReDoS occurs during invalid proto file parsing.