Regular Expression Denial of Service
Description
The regex used to compare with user-supplied input is vulnerable to regular expression denial of service, which can cause the application to become unresponsive or crash.
Examples
Insecure Code
javascript
app.get('/', (req, res) => { const regex = /^.*$/; regex.test(req.query.input); res.send('Hello World'); });Secure Code
javascript
app.get('/', (req, res) => { const regex = /^[a-zA-Z0-9]+$/; regex.test(req.query.input); res.send('Hello World'); });Remediation
Use a safe regex pattern or validate user input to prevent malicious regex patterns.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0366 |
| Category | Injection |
| Severity | MEDIUM |
| CWE | CWE-185 |
| Confidence | HIGH |
| Impact | MEDIUM |
| Likelihood | MEDIUM |
| Exploitability | EASY |
| Tags | regex, denial of service |
| OWASP | A6:2017-Security Misconfiguration, A05:2021-Security Misconfiguration |