What is ReDoS (Regular Expression Denial of Service)?
An attack where a crafted input triggers catastrophic backtracking in a regular-expression engine, hanging the process.
Full explanation
Certain regex patterns — especially those with nested quantifiers like `(a+)+` — can take exponential time on adversarial input. Any application that passes user input through such a regex is vulnerable to a DoS where a single request stalls a worker. Recent high-profile ReDoS CVEs include micromatch (CVE-2024-4067), braces (CVE-2024-4068), and path-to-regexp (CVE-2024-52798 and CVE-2024-45296).
Example
Regex `^(a+)+$` matched against `aaaaaaaaaaaaaaaaaaaaaaaaa!` takes exponential time relative to input length.
Related
FAQ
Does RE2 solve ReDoS?
Google's RE2 engine guarantees linear time at the cost of dropping some PCRE features. Most Node apps cannot swap in RE2 easily.