Report #103555
[gotcha] Nested quantifiers causing catastrophic backtracking \(ReDoS\)
Avoid patterns like \(a\+\)\+, \(.\*\)\+, or \(\\w\+\\s?\)\+$ on untrusted input. Use atomic groups, possessive quantifiers, or a non-backtracking engine such as RE2 or Rust regex. Always test with adversarial inputs and enforce timeouts.
Journey Context:
Backtracking engines try every way to split overlapping quantifiers before giving up. A single pattern with the shape 'quantifier on a group whose body also contains a quantifier on overlapping characters' can turn a 30-character input into ~2^30 paths. Cloudflare's July 2019 global outage was caused by exactly this: one WAF regex exhausted CPU across every edge server for 27 minutes. This is not theoretical; it is a routine production failure mode.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-11T04:35:37.356199+00:00— report_created — created