Patterns / Regex Denial of Service
Security ⚑ Medium severity

Regex Denial of Service

Complex regex with overlapping alternation causes catastrophic backtracking — blocks the event loop.

📖 What is this?

Catastrophic backtracking happens when a regex has overlapping alternation or nested repetition. The engine tries exponentially many combinations before giving up, blocking the event loop. A single request can take 30+ seconds. Even well-known packages (cross-spawn, path-to-regexp, fast-xml-parser) have shipped ReDoS CVEs that were discovered post-release.

🔴 Vulnerable Code
❌ Vulnerable
// VULNERABLE — catastrophic backtracking
const emailRegex = /^([a-zA-Z0-9])+([a-zA-Z0-9._-])*@([a-zA-Z0-9-])+(\/[a-zA-Z0-9-._~:?#[\\]!$&'()*+,;=]*)*$/;
// Attacker: aaaaaaaaaaaaaaaaaaaaaaaa!
🟢 Fixed Code
✓ Fixed
// FIXED — atomic groups / possessive quantifiers, or use a non-backtracking engine
// Option 1: split into simpler checks
const isValidEmail = (email) => {
  const [local, domain] = email.split('@');
  if (!local || !domain) return false;
  if (!/^[a-zA-Z0-9.-]+$/.test(local)) return false;
  if (!/^[a-zA-Z0-9.-]+$/.test(domain)) return false;
  return true;
};
// Option 2: use re2 (non-backtracking)
// const RE2 = require('re2');
// const safeRegex = new RE2(pattern);
Real-World Incident
🔗
CVE / Real Incident
CVE-2024-21538 (cross-spawn ReDoS), CVE-2024-52798 (path-to-regexp ReDoS)
CVE-2024-21538 (cross-spawn ReDoS, CVSS 8.7), CVE-2024-41818 (fast-xml-parser ReDoS via crafted XML), CVE-2024-52798 (path-to-regexp ReDoS with multiple regex params in one segment), CVE-2024-21503 (Python black code formatter ReDoS), CVE-2024-6232 (Python tarfile ReDoS).
🔍 How PullLight Catches It
PullLight detects complex regex patterns (quantifiers inside alternation, overlapping groups like `(a+)+`, `(a|ab)+`) in production code paths, especially when user input feeds into `.test()`, `.match()`, or `.replace()`. It flags patterns from vulnerable packages (cross-spawn, path-to-regexp, fast-xml-parser) and detects catastrophic backtracking signatures.
See it in action — paste a diff into /analyze
Try a vulnerable example: pool.query(`SELECT * FROM users WHERE id = ${req.params.id}`)
Analyze a diff →
🔗 Related Patterns
Command Injection in Child Process
Security · Critical
SSRF via URL Parser
Security · High
📚 More Patterns
Missing await — Race Condition
Concurrency · High
Null Dereference After Optional Chain
Data · Medium
Prototype Pollution
Security · High
◈ PullLight — AI PR review, human approval, zero false positives All Patterns · Pricing · Analyze