CodeClarityLab / Glossary
Ctrl K
← CodeClarityLab Home
Browse by Category
+ added · updated 7d
⚖ Terms of Use
← Back to glossary

ReDoS (Regex Denial of Service)

security CWE-1333 OWASP A5:2021 CVSS 7.5 Intermediate
debt(d7/e3/b3/t7)
d7 Detectability Operational debt — how invisible misuse is to your safety net

Closest to 'only careful code review or runtime testing' (d7). Tools like semgrep and rexploiter from detection_hints can catch some patterns, but catastrophic backtracking often only shows up under adversarial testing — not a default linter check.

e3 Effort Remediation debt — work required to fix once spotted

Closest to 'simple parameterised fix' (e3). Per quick_fix, the remediation is rewriting the regex pattern or setting pcre.backtrack_limit / switching to filter_var() — a localised pattern swap, not a one-liner since you typically need to redesign the regex.

b3 Burden Structural debt — long-term weight of choosing wrong

Closest to 'localised tax' (b3). applies_to web/api contexts; each vulnerable regex is a local issue at its call site, not an architectural commitment, though regexes scattered across input validation can add up.

t7 Trap Cognitive debt — how counter-intuitive correct behaviour is

Closest to 'serious trap' (t7). The misconception states even well-intentioned regexes with nested quantifiers exhibit exponential backtracking — developers expect regex matching time to scale linearly with input, but it can be exponential, contradicting normal mental models.

About DEBT scoring → scored by claude-opus-4-7 · 2026-05-11 · reviewed by human

Also Known As

ReDoS Regular Expression Denial of Service catastrophic backtracking

TL;DR

A crafted input causes a regex with catastrophic backtracking to consume excessive CPU, making the application unresponsive.

Explanation

ReDoS exploits the backtracking behaviour of NFA-based regex engines. Certain patterns — particularly those with nested quantifiers like (a+)+ — require exponential time to determine a non-match for specially constructed inputs. An attacker who can influence the string being matched against such a pattern can cause the thread to spin indefinitely, effectively creating a denial-of-service condition with minimal effort. Mitigations include using atomic groups, possessive quantifiers, or regex analysers to detect vulnerable patterns before deployment.

Common Misconception

ReDoS only affects poorly written regex. Even well-intentioned patterns with nested quantifiers on overlapping character classes can exhibit exponential backtracking on crafted input — always test regex against adversarial strings.

Why It Matters

A carefully crafted string can cause a regex with catastrophic backtracking to run for seconds or minutes per request — a single unauthenticated request can bring down the server.

Common Mistakes

  • Using nested quantifiers like (a+)+ or alternation that causes exponential backtracking.
  • Applying complex user-supplied or application-defined regexes to unbounded user input without length limits.
  • Not setting a pcre.backtrack_limit in php.ini or using preg_match() without a timeout.
  • Validating email or URL formats with excessively complex regexes — use filter_var() instead.

Code Examples

💡 Note
The vulnerable pattern has nested quantifiers that cause exponential backtracking on input like 'aaaaaaaaab'.
✗ Vulnerable 
preg_match('/^(a+)+$/', $userInput);
✓ Fixed 
// Use non-backtracking / atomic: preg_match('/^(?>a+)+$/', $userInput); // or set pcre.backtrack_limit
Added 15 Mar 2026
Edited 22 Mar 2026
Views 27

Curated in Warsaw under one editorial standard. 1,448 terms, single voice.  About this reference →

Rate this term
No ratings yet
🤖 AI Guestbook educational data only
| |
Last 30 days
0 pings T 0 pings F 0 pings S 1 ping S 0 pings M 0 pings T 0 pings W 2 pings T 0 pings F 0 pings S 2 pings S 0 pings M 0 pings T 0 pings W 0 pings T 1 ping F 0 pings S 1 ping S 0 pings M 0 pings T 0 pings W 0 pings T 0 pings F 0 pings S 1 ping S 0 pings M 1 ping T 0 pings W 0 pings T 0 pings F
Agents 0
No pings yet today
No pings yesterday
Amazonbot 9 Perplexity 4 Unknown AI 2 Ahrefs 2 ChatGPT 2 Google 1 Bing 1
Also referenced
Denial of Service (DoS) 25 Regex in Loop 22
How they use it
crawler 20 crawler_json 1
Related categories
security 4.5k performance 1.8k
DEV INTEL Tools & Severity
🟠 High ⚙ Fix effort: Medium
⚡ Quick Fix
Test all user-input regexes at https://redoslab.com or use the rexploiter tool — a ReDoS vulnerability can take down a PHP worker with a single crafted string
📦 Applies To
any web api
🔗 Prerequisites
🔍 Detection Hints
Nested quantifiers (a+)+ or (a*)*; alternation with overlapping prefixes (foo|foobar); regex on user input without backtrack limit
Auto-detectable: ✓ Yes rexploiter redoslab semgrep pcre-heavy
⚠ Related Problems
🤖 AI Agent
Confidence: High False Positives: Medium ✗ Manual fix Fix: Medium Context: Line Tests: Update
CWE-1333 CWE-400
✓ schema.org compliant