ReDoS (Regex Denial of Service)
Regular expressions with nested quantifiers can take exponential time to evaluate certain inputs, freezing your Node.js event loop.
How It Works
The JavaScript regex engine uses backtracking. A pattern like /(a+)+$/ applied to a string like 'aaaaaaaaab' causes the engine to explore an exponential number of paths before failing. Because Node.js is single-threaded, one malicious request can block the entire server for seconds.
// BAD: nested quantifiers cause catastrophic backtracking
const emailRegex = /^([a-zA-Z0-9]+(\.[a-zA-Z0-9]+)*)+@/;
if (emailRegex.test(userInput)) { /* ... */ }// GOOD: use a linear-time validator or a safe library
import isEmail from 'validator/lib/isEmail';
if (isEmail(userInput)) { /* ... */ }Real-World Example
In 2016, a ReDoS vulnerability in the moment.js date parsing regex caused a 28-minute outage for Stack Overflow when a single malformed date string was submitted.
How to Prevent It
- Test regex patterns with tools like safe-regex or vuln-regex-detector before deploying
- Avoid nested quantifiers like (a+)+, (a*)*, or alternation with overlapping groups
- Set a maximum input length before running regex on user input
- Use purpose-built validation libraries (validator.js, zod) instead of handwritten regex for common formats
Affected Technologies
Data Hogo detects this vulnerability automatically.
Scan Your Repo FreeRelated Vulnerabilities
Prototype Pollution
highMerging user-controlled objects without filtering lets attackers modify Object.prototype and affect every object in the application.
Insecure Randomness
highUsing Math.random() for security-sensitive values like tokens or IDs is predictable and can be brute-forced.
Malicious Service Worker
mediumA service worker registered without scope restrictions can intercept all network requests for a domain, including those from other pages.