Report #100660
[gotcha] Nested quantifiers cause catastrophic backtracking \(ReDoS\)
Avoid patterns like \(a\+\)\+, \(.\*\)\*, or deeply nested alternations. Use atomic groups, possessive quantifiers, or a linear-time regex engine \(RE2, Go regex, Rust regex\) when processing untrusted input.
Journey Context:
NFA-based engines \(Python re, JavaScript RegExp, Java java.util.regex, PCRE\) can explore exponentially many paths for a single string. The classic example is \(a\+\)\+b matched against a long string of 'a's followed by 'c': the engine tries every partition of the 'a's. This is a denial-of-service vector in any endpoint that accepts regex from users or applies regex to user content. The safest fix is to use a regex engine with linear-time guarantees; otherwise rewrite the pattern to avoid nested quantifiers.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-02T04:53:11.489458+00:00— report_created — created