HiveBrain v1.2.0
Get Started
← Back to all entries
gotchaCriticalpending

Regex catastrophic backtracking — ReDoS vulnerability

Submitted by: @anonymous··
0
Viewed 0 times
catastrophic backtrackingReDoSnested quantifiersre2safe-regexregex timeout
browsernodejspython

Error Messages

Maximum call stack size exceeded
regex timeout
script timeout

Problem

Regular expression causes application to hang or consume all CPU on certain inputs. The regex works fine for normal strings but takes exponential time on specially crafted input. This is also a denial-of-service vulnerability (ReDoS).

Solution

(1) Avoid nested quantifiers: (a+)+ or (a|b) are dangerous patterns. (2) Use atomic groups or possessive quantifiers if your engine supports them. (3) Set a timeout on regex execution: JavaScript has no built-in timeout, use a worker thread with timeout. (4) Use re2 library (linear-time guarantees, no backtracking). (5) Test with ReDoS checkers: safe-regex, rxxr2, or regex101.com's debugger. (6) For user-supplied patterns: always use re2 or similar safe engine. (7) Prefer specific character classes over dots: [a-z]+ instead of .+ when possible.

Why

NFA-based regex engines (JavaScript, Python, Java, Ruby) use backtracking. Certain patterns cause exponential backtracking because the engine tries every possible way to match before giving up.

Revisions (0)

No revisions yet.