Report #100185
[gotcha] Regex with nested quantifiers causing catastrophic backtracking \(ReDoS\)
Avoid patterns like \`\(a\+\)\+\`, \`\(.\*\)\+\`, or overlapping alternations on untrusted input. Use atomic groups \`\(?>\)\`, possessive quantifiers \(\`\*\+\`, \`\+\+\`\) where supported, or rewrite alternations to be mutually exclusive. Always test with pathological strings.
Journey Context:
Backtracking engines \(PCRE, Python \`re\`, Ruby, Java\) can take exponential time when nested quantifiers create ambiguous match paths. \`\(a\+\)\+$\` against a long string of \`a\`s followed by \`b\` hangs the process. This is Regular expression Denial of Service. The fix is to remove ambiguity: make the NFA effectively deterministic by using atomic grouping, possessive quantifiers, or refactoring overlapping alternatives into non-overlapping ones.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-01T04:48:00.740015+00:00— report_created — created