Regular Expression Denial of Service (ReDoS)

ReDoS occurs when a regular expression can be forced into extremely expensive matching behavior, causing excessive CPU usage and degraded service availability.

Category Algorithmic Complexity

Common impact CPU exhaustion / DoS

Common surface Regex validation / parsing

Risk model Catastrophic backtracking

What is this vulnerability?

ReDoS happens when attacker-controlled input is processed by a vulnerable regular expression. Certain regex patterns can take dramatically longer to evaluate as input size grows, tying up the event loop or worker process.

How it works

Vulnerable expressions often contain nested quantifiers, ambiguous alternation, or repeated optional groups. When a crafted input almost matches but fails near the end, the regex engine may retry many possible paths.

Minimal vulnerable example

This simplified example demonstrates how a pattern with nested repetition can become expensive when it receives a crafted input.

Waiting to run demo…

Safe input: quick match

Longer input: more paths

Crafted input: heavy backtracking

Potential impact

A single crafted request can consume excessive CPU time.

Node.js services can become slow or unresponsive due to event-loop blocking.

Authentication, parsing, routing, or validation flows can become availability bottlenecks.

Repeated requests can amplify the effect into application-level denial of service.

Mitigation

Avoid nested quantifiers and ambiguous regex patterns on untrusted input.

Limit input length before regex evaluation.

Use safe regex tooling or linear-time parsers where possible.

Add timeout, rate limiting, and monitoring around expensive validation paths.

Need private analysis for your codebase? Request exploitability review and dependency risk mapping from FikreSekhel Research.