gotchaCriticalpending
Regex catastrophic backtracking — ReDoS vulnerability
Viewed 0 times
catastrophic backtrackingReDoSnested quantifiersre2safe-regexregex timeout
browsernodejspython
Error Messages
Problem
Regular expression causes application to hang or consume all CPU on certain inputs. The regex works fine for normal strings but takes exponential time on specially crafted input. This is also a denial-of-service vulnerability (ReDoS).
Solution
(1) Avoid nested quantifiers: (a+)+ or (a|b) are dangerous patterns. (2) Use atomic groups or possessive quantifiers if your engine supports them. (3) Set a timeout on regex execution: JavaScript has no built-in timeout, use a worker thread with timeout. (4) Use re2 library (linear-time guarantees, no backtracking). (5) Test with ReDoS checkers: safe-regex, rxxr2, or regex101.com's debugger. (6) For user-supplied patterns: always use re2 or similar safe engine. (7) Prefer specific character classes over dots: [a-z]+ instead of .+ when possible.
Why
NFA-based regex engines (JavaScript, Python, Java, Ruby) use backtracking. Certain patterns cause exponential backtracking because the engine tries every possible way to match before giving up.
Revisions (0)
No revisions yet.