[{"data":1,"prerenderedAt":172},["ShallowReactive",2],{"blog-vulnerabilities/regex-dos":3},{"id":4,"title":5,"body":6,"category":152,"date":153,"dateModified":153,"description":154,"draft":155,"extension":156,"faq":157,"featured":155,"headerVariant":158,"image":157,"keywords":157,"meta":159,"navigation":160,"ogDescription":161,"ogTitle":157,"path":162,"readTime":163,"schemaOrg":164,"schemaType":165,"seo":166,"sitemap":167,"stem":168,"tags":169,"twitterCard":170,"__hash__":171},"blog/blog/vulnerabilities/regex-dos.md","ReDoS (Regex DoS) Explained",{"type":7,"value":8,"toc":143},"minimark",[9,16,21,24,39,49,54,83,87,96,112,131],[10,11,12],"tldr",{},[13,14,15],"p",{},"ReDoS (Regular Expression Denial of Service) happens when a regex pattern takes exponentially longer to process certain inputs. Attackers send crafted strings that cause your regex to run for minutes or hours, freezing your Node.js event loop. Avoid nested quantifiers and test your regexes with tools like safe-regex.",[17,18,20],"h2",{"id":19},"how-redos-works","How ReDoS Works",[13,22,23],{},"Some regex patterns have \"catastrophic backtracking\" where the engine tries many different ways to match before failing. Each additional character can double the processing time.",[25,26,28],"code-block",{"label":27},"Vulnerable regex pattern",[29,30,35],"pre",{"className":31,"code":33,"language":34},[32],"language-text","// Evil pattern: nested quantifiers\nconst emailRegex = /^([a-zA-Z0-9]+)+@/;\n\n// Normal input: \"user@example.com\" - fast\n// Attack input: \"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa!\" - SLOW!\n\n// The regex tries every way to split the \"a\"s\n// 30 characters = 2^30 combinations = ~1 billion tries\n","text",[36,37,33],"code",{"__ignoreMap":38},"",[40,41,42],"warning-box",{},[13,43,44,48],{},[45,46,47],"strong",{},"Node.js warning:"," JavaScript runs on a single thread. While the regex is processing, nothing else can execute. One ReDoS attack can freeze your entire server.",[50,51,53],"h3",{"id":52},"dangerous-patterns","Dangerous Patterns",[55,56,57,71,77],"ul",{},[58,59,60,61,64,65,64,68],"li",{},"Nested quantifiers: ",[36,62,63],{},"(a+)+",", ",[36,66,67],{},"(a*)*",[36,69,70],{},"(a+)*",[58,72,73,74],{},"Overlapping alternations: ",[36,75,76],{},"(a|a)+",[58,78,79,80],{},"Groups with repetition: ",[36,81,82],{},"([a-zA-Z]+)*",[17,84,86],{"id":85},"how-to-prevent-redos","How to Prevent ReDoS",[25,88,90],{"label":89},"Safe alternatives",[29,91,94],{"className":92,"code":93,"language":34},[32],"// Use atomic groups or possessive quantifiers (if supported)\n// Or rewrite the pattern\n\n// Dangerous\nconst bad = /^([a-zA-Z0-9]+)+$/;\n\n// Safe alternative\nconst good = /^[a-zA-Z0-9]+$/;\n\n// Or use a library\nimport validator from 'validator';\nvalidator.isEmail(input);  // Pre-tested, safe patterns\n",[36,95,93],{"__ignoreMap":38},[97,98,99,106],"faq-section",{},[100,101,103],"faq-item",{"question":102},"How do I test my regexes?",[13,104,105],{},"Use tools like safe-regex, rxxr2, or regex-static-analysis. Also test manually with strings like \"aaaaaaaaaaaaaaaaaaaaa!\" to see if they hang.",[100,107,109],{"question":108},"Should I avoid regex entirely?",[13,110,111],{},"No, but be careful with user-controlled input. Use battle-tested libraries for common patterns (emails, URLs) and limit input length before regex processing.",[113,114,115,121,126],"related-articles",{},[116,117],"related-card",{"description":118,"href":119,"title":120},"Defense in depth","/blog/vulnerabilities/missing-rate-limiting","Rate Limiting",[116,122],{"description":123,"href":124,"title":125},"Validation techniques","/blog/how-to/validate-user-input","Input Validation",[116,127],{"description":128,"href":129,"title":130},"Another input issue","/blog/vulnerabilities/command-injection","Command Injection",[132,133,136,140],"cta-box",{"href":134,"label":135},"/","Start Free Scan",[17,137,139],{"id":138},"scan-for-redos-patterns","Scan for ReDoS Patterns",[13,141,142],{},"Our scanner identifies dangerous regex patterns in your code.",{"title":38,"searchDepth":144,"depth":144,"links":145},2,[146,150,151],{"id":19,"depth":144,"text":20,"children":147},[148],{"id":52,"depth":149,"text":53},3,{"id":85,"depth":144,"text":86},{"id":138,"depth":144,"text":139},"vulnerabilities","2026-01-22","ReDoS attacks use malicious input to make regular expressions take exponential time. Learn how to identify and fix vulnerable regex patterns in your code.",false,"md",null,"red",{"noindex":160},true,"Learn how regex denial of service works and how to prevent it.","/blog/vulnerabilities/regex-dos","5 min read","[object Object]","TechArticle",{"title":5,"description":154},{"loc":162},"blog/vulnerabilities/regex-dos",[],"summary_large_image","hsAHj1U4HjdZ13FO8DLW4PFgrblljwWLgQpbuTr7cdc",1775843926432]