ReDoS — Regular Expression Denial of Service
ReDoS (Regular Expression Denial of Service) exploits how some regular expressions behave with certain inputs — specifically, regex engines that use backtracking can take exponentially longer as input length increases when given a carefully crafted string. A single malicious HTTP request containing a few hundred characters can hang a Node.js server for seconds or cause a complete CPU lockup.
How backtracking causes ReDoS
Most regex engines use backtracking — when a pattern doesn't match, the engine tries alternative paths. For certain patterns, this creates an explosion of possibilities. Consider a regex like (a+)+ against the input aaaaaaaaX. The engine tries every possible way to group the a's before concluding no match — the number of attempts grows exponentially with input length.
ReDoS in popular packages
- moment.js — CVE-2022-31129, CVE-2017-18214 — date parsing regex
- semver — CVE-2022-25883 — version coerce() function
- marked — CVE-2022-21681 — markdown parsing
- validator — CVE-2021-3765 — email validation
- Django — CVE-2024-27351 — strip_tags() HTML sanitizer
- pydantic — CVE-2024-3772 — email address validation
Why Node.js is especially vulnerable
Node.js runs JavaScript in a single-threaded event loop. A ReDoS attack that hangs the regex engine for 2 seconds doesn't just slow down one request — it blocks all other requests for those 2 seconds. A moderate-scale attack can completely take down a Node.js server with minimal bandwidth.
The ReDoS checker can identify vulnerable regex patterns in your own code. For dependencies, PackageFix flags packages with known ReDoS CVEs.
Paste your manifest — get a fixed version with all CVEs patched in seconds.
Open PackageFix →Free · No signup · No CLI · Runs in your browser