CWE-1333
Inefficient Regular Expression Complexity
Description
The product uses a regular expression with a worst-case computational complexity that is inefficient and possibly exponential.
Parent Weaknesses (ChildOf)
Common Consequences
Scope
Impact
DoS: Resource Consumption (CPU)
Potential Mitigations
Use regular expressions that do not support backtracking, e.g. by removing nested quantifiers.
Set backtracking limits in the configuration of the regular expression implementation, such as PHP's pcre.backtrack_limit. Also consider limits on execution time for the process.
Do not use regular expressions with untrusted input. If regular expressions must be used, avoid using backtracking in the expression.
Limit the length of the input that the regular expression will process.
CVE-2020-5243server allows ReDOS with crafted User-Agent strings, due to overlapping capture groups that cause excessive backtracking.
CVE-2021-21317npm package for user-agent parser prone to ReDoS due to overlapping capture groups
CVE-2019-16215Markdown parser uses inefficient regex when processing a message, allowing users to cause CPU consumption and delay preventing processing of other messages.
CVE-2019-6785Long string in a version control product allows DoS due to an inefficient regex.
CVE-2019-12041Javascript code allows ReDoS via a long string due to excessive backtracking.
CVE-2015-8315ReDoS when parsing time.
CVE-2015-8854ReDoS when parsing documents.
CVE-2017-16021ReDoS when validating URL.
Applicable Platforms
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now