Glossary · Definition
ReDoS attacks
ReDoS (Regular Expression Denial of Service) is an attack where adversarial input causes a regex to take exponential time to evaluate, freezing the server. Caused by patterns with nested quantifiers like <code>(a+)+</code>. Defense: use linear-time engines (Go RE2), avoid nested quantifiers, or set timeouts.
Definition
ReDoS (Regular Expression Denial of Service) is an attack where adversarial input causes a regex to take exponential time to evaluate, freezing the server. Caused by patterns with nested quantifiers like <code>(a+)+</code>. Defense: use linear-time engines (Go RE2), avoid nested quantifiers, or set timeouts.
What it means
Regex engines using backtracking (PCRE, Python re, JavaScript) can hit catastrophic backtracking on certain patterns. The classic example: <code>(a+)+$</code> against input <code>aaaaaa!</code>. The engine tries many combinations of how to split the ‘a’s among the inner and outer +, exhaustively. For 10 ‘a’s, it’s milliseconds. For 30 ‘a’s, several minutes. For 50 ‘a’s, hours. Denial-of-service results: a single malicious request locks the regex thread, blocking subsequent requests. Real-world incidents: Stack Overflow outage 2016 (catastrophic regex on user input), Cloudflare incident 2019 (regex bug crashed proxies globally).
Advertisement
Why it matters
Any web app processing user-supplied regex or user-supplied input through regex is vulnerable. Bug bounties for ReDoS in popular libraries are common. Defense strategies: <strong>(1) Use RE2-based engines</strong> for user input (Go default, Python re2 module, V8 Linear). <strong>(2) Avoid nested quantifiers</strong> like <code>(a+)+</code>, <code>(a|a)*</code>. <strong>(3) Use timeouts</strong> — set max regex execution time (Node.js: implement via worker threads). <strong>(4) Audit dependencies</strong>: package.json regex helpers can carry vulnerable patterns. Tools: <code>safe-regex</code>, <code>vuln-regex-detector</code>, <code>recheck</code> auto-scan for ReDoS-vulnerable patterns.
Example
Vulnerable: <code>^(a+)+$</code> on input <code>aaaaaaaaaaaaaaaaa!</code> takes minutes. Fix: <code>^a+$</code> achieves same match in microseconds. Or use possessive quantifier (PCRE only): <code>^(a++)+$</code> prevents backtracking. Or switch to RE2.
Related free tools
Frequently asked questions
Is JavaScript regex safe?
By default, vulnerable to ReDoS like PCRE. V8 has added some protections in recent versions. For safety on user input, use timeouts via worker threads or switch to a regex library with linear-time guarantees.
What patterns to avoid?
Nested quantifiers: <code>(a+)+</code>, <code>(a*)*</code>. Alternation with overlapping branches: <code>(a|a)*</code>. Use possessive quantifiers (PCRE) or atomic groups <code>(?>...)</code>, or restructure to avoid the issue.
How do I scan my code for ReDoS?
<code>safe-regex</code> npm package, <code>recheck</code> CLI, GitHub CodeQL queries. Most production deployments include automated regex scanning in CI/CD.
Related terms
- DefinitionRegex flavors comparisonRegex isn’t one universal language — each engine has its own features. JavaScript ECMAScript (browser/Node): standard. Python re: similar + named groups. PCRE (PHP, Perl, Java): adds recursion + possessive quantifiers. Go RE2: linear-time guaranteed but no lookbehind / backreferences.
- DefinitionRegex cheat sheetQuick regex reference. Character classes: <code>\d</code> digit, <code>\w</code> word, <code>\s</code> whitespace. Quantifiers: <code>*</code> 0+, <code>+</code> 1+, <code>?</code> 0-1, <code>{n,m}</code> range. Anchors: <code>^</code> start, <code>$</code> end, <code>\b</code> word-boundary. Groups: <code>(...)</code> capture, <code>(?:...)</code> non-capture, <code>(?<name>...)</code> named.
- DefinitionRegexRegex (regular expressions) is a notation for describing patterns in text — used for searching, matching, replacing, splitting, and validating. Every language has a regex engine; the syntax mostly overlaps but has gotchas.