How Evil Regex Can Cripple Your Server: Understanding ReDoS Attacks

Introduction

When you think of a denial‑of‑service (DoS) attack you probably imagine a flood of bots overwhelming a web server, but there is another, less known vector: ReDoS, a denial‑of‑service caused by regular expressions.

What Is a Regular Expression?

A regular expression (regex) is a pattern used to match strings in code. For example, to validate an email address on the server side you might use the pattern [a-z0-9]+@[a-z]+\.[a-z]{2,3}.

let regex = new RegExp('[a-z0-9]+@[a-z]+\.[a-z]{2,3}');
let testEmails = [
  "notanemail.com",
  "[email protected]",
  "[email protected]",
  "[email protected]"
];
testEmails.forEach(address => {
  console.log(regex.test(address));
});

The pattern consists of: [a-z0-9]+: one or more lowercase letters or digits. @: the at‑sign. [a-z]+: one or more lowercase letters. \.: a literal dot. [a-z]{2,3}: a domain suffix of two or three letters.

Matching the email [email protected] against this regex shows how each part corresponds to the pattern.

Evil Regular Expressions (ReDoS)

An evil regex is a pattern that an attacker can exploit to cause excessive backtracking. Typical characteristics include:

Nested quantifiers such as + or * applied to complex sub‑expressions.

Ambiguous suffixes where a match can also be a valid suffix of another match.

Consider the regex ^(a+)+$. When the input is a long string of a characters the engine quickly returns true, but adding a single exclamation mark ( !) forces the engine to explore billions of possible backtracking paths, taking seconds or more to return false.

The engine repeatedly backtracks, trying alternative ways to satisfy the nested + quantifiers, which leads to exponential time complexity.

Demonstration of Backtracking

A possible backtracking sequence for the input aaaaaaaaaaaaaaaaaaaaaaaaaaaaa! shows the engine trying different partitions of the a characters (e.g., {aaaaaaaa...}, {aa}, {a}) before finally failing, illustrating how the number of attempts can approach 2,147,483,647.

This exponential growth makes ReDoS a serious threat to application availability and can incur significant cost.

Exploitability

Developers often write regexes that are vulnerable. Attackers can locate these patterns in source code—sometimes even publicly available repositories—and exploit them to bypass security controls or exhaust server resources.

Mitigation Measures

Avoid using complex, nested quantifiers whenever possible, especially for beginners.

Prefer safe, well‑tested regexes or alternative validation methods.

Test regexes with tools such as regex101.com before deployment.

Continuously scan user input for malicious patterns.

Use efficient regex engines like Google’s RE2.

Check whether your environment uses a vulnerable engine; for example, the url-regex package is known to be risky.

Conclusion

Seemingly minor regex mistakes can introduce severe security risks. This article has shown how harmful regex patterns can trigger DoS attacks, explained the underlying backtracking mechanism, and offered practical steps to mitigate the threat, protecting both availability and cost.