HomeBlogPreventing Regex Denial of Service (ReDoS)
Security8 min read

Preventing Regex Denial of Service (ReDoS)

MT
Marcus Thorne
AppSec Lead • Published May 14, 2026
REGEX MATCH LATENCYLenTimeO(N) SafeO(2^N) ReDoS!BACKTRACK EVALUATIONq0q1q2Backtrack
Verified Sandbox
Back to Insights
VERIFIED APPSec COMPLIANCE
100% Client-Side 0 Network Packets Offline Capable

Regular expressions are incredibly powerful, but poorly written regex patterns can cause exponential backtracking, leading to a Regular Expression Denial of Service (ReDoS) attack.

What is Exponential Backtracking?

When a regex engine tries to match a string and encounters overlapping groups or nested quantifiers, it may evaluate a huge number of combinations. For example, evaluating (a+)+ against aaaaaaaab requires exponentially more operations for every 'a' added. When the engine encounters a non-matching character at the end (like 'b'), it backtracks through every possible grouping of the preceding 'a's, causing CPU spikes that freeze execution threads.

The Node.js Single-Threaded Danger

In single-threaded environments like Node.js, a CPU-intensive backtracking operation blocks the event loop. This means that while a single malicious string is being validated, your entire server is frozen. It cannot respond to other incoming API calls, handle database records, or serve files, effectively taking your application offline. Threat actors exploit this vulnerability to orchestrate low-bandwidth denial-of-service campaigns.

How to Detect and Prevent ReDoS

To secure your application, you should follow these rules:

  • Avoid Nested Quantifiers: Never write expressions containing patterns like (a+)+ or (a*)*.
  • Use Safe Matching Libraries: Implement regex libraries that run in linear time (such as Google's RE2 engine) for untrusted user inputs.
  • Set Execution Timeouts: Configure validation time limits so matching routines exit if they exceed milliseconds.

Safe Testing with Local Web Workers

Testing regexes on public websites is risky; pasting proprietary matching patterns exposes logic, while unoptimized test cases can freeze your browser tab. SecureDevUtils provides a client-side Regex Tester that runs matches in a background Web Worker. If a pattern backtracks excessively, the worker thread is terminated safely, keeping your browser UI fluid and your test cases private.

Try it safely right now in SecureDevUtils. Paste your patterns and test cases completely offline to check matching performance.

Frequently Asked Questions

What is backtracking in regex engines?

Backtracking occurs when a regex engine matches part of a string but fails later in the expression. The engine must step backward and attempt alternative paths in the matching tree to find a valid match. With nested quantifiers, this search space grows exponentially.

Can ReDoS be exploited in front-end client browsers?

Yes. If a regex validates input on the client side without web worker isolation, a ReDoS string will freeze the user's browser window, forcing them to kill the tab. It is a client-side denial-of-service attack.

Why is Google's RE2 engine immune to ReDoS?

Google's RE2 engine uses a deterministic finite automaton (DFA) instead of a backtracking engine (NFA). This guarantees that matching times scale linearly with the length of the input string, preventing exponential backtracking vulnerabilities.

MT

Marcus Thorne

Verified Expert

Marcus Thorne is a appsec lead specializing in cryptography, web standards, and cloud vulnerability prevention. Previously designed security policies at leading technology organizations.

Published: May 14, 2026 • Last Reviewed: June 20, 2026 • Security Level: Air-Gapped Sandbox
Featured Local Utility

Safe Regex Tester

Test regular expressions safely inside isolated background web workers to prevent ReDoS freezes.

Open Secure Tool
Share this security insight:

Related Insights

Secure Online JSON Formatter: Private Formatting
Privacy

Secure Online JSON Formatter: Private Formatting

8 min read
Decode JSON Web Tokens (JWT) Locally and Safely
Security

Decode JSON Web Tokens (JWT) Locally and Safely

7 min read
The Hidden Risks of Online Developer Tools
Security

The Hidden Risks of Online Developer Tools

9 min read