CWE-1333: Inefficient Regular Expression Complexity

Description

The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.

Extended Description

Some regular expression engines have a feature called "backtracking". If the token cannot match, the engine "backtracks" to a position that may result in a different token that can match. Backtracking becomes a weakness if all of these conditions are met: The number of possible backtracking attempts are exponential relative to the length of the input. The input can fail to match the regular expression. The input can be long enough. Attackers can create crafted inputs that intentionally cause the regular expression to use excessive backtracking in a way that causes the CPU consumption to spike.

ThreatScore

Threat Mapped score: 0.0

Industry: Finiancial

Threat priority: Unclassified

Observed Examples (CVEs)

CVE: CVE-2020-5243

server allows ReDOS with crafted User-Agent strings, due to overlapping capture groups that cause excessive backtracking.
CVE: CVE-2021-21317

npm package for user-agent parser prone to ReDoS due to overlapping capture groups
CVE: CVE-2019-16215

Markdown parser uses inefficient regex when processing a message, allowing users to cause CPU consumption and delay preventing processing of other messages.
CVE: CVE-2019-6785

Long string in a version control product allows DoS due to an inefficient regex.
CVE: CVE-2019-12041

Javascript code allows ReDoS via a long string due to excessive backtracking.
CVE: CVE-2015-8315

ReDoS when parsing time.
CVE: CVE-2015-8854

ReDoS when parsing documents.
CVE: CVE-2017-16021

ReDoS when validating URL.

Related Attack Patterns (CAPEC)

CAPEC-492

Attack TTPs

N/A

Modes of Introduction

Phase	Note
Implementation	A RegEx can be easy to create and read using unbounded matching characters, but the programmer might not consider the risk of excessive backtracking.

Common Consequences

Impact: DoS: Resource Consumption (CPU) — Notes:

Potential Mitigations

Architecture and Design: Use regular expressions that do not support backtracking, e.g. by removing nested quantifiers. (High)
System Configuration: Set backtracking limits in the configuration of the regular expression implementation, such as PHP's pcre.backtrack_limit. Also consider limits on execution time for the process. (Moderate)
Implementation: Do not use regular expressions with untrusted input. If regular expressions must be used, avoid using backtracking in the expression. (High)
Implementation: Limit the length of the input that the regular expression will process. (Moderate)

Applicable Platforms

None (Not Language-Specific, Undetermined)

Demonstrative Examples

Intro: This example attempts to check if an input string is a "sentence" [REF-1164].

Body: The regular expression has a vulnerable backtracking clause inside (\w+\s?)*$ which can be triggered to cause a Denial of Service by processing particular phrases. To fix the backtracking problem, backtracking is removed with the ?= portion of the expression which changes it to a lookahead and the \2 which prevents the backtracking. The modified example is:

var test_string = "Bad characters: $@#"; var bad_pattern  = /^(\w+\s?)*$/i; var result = test_string.search(bad_pattern);

Intro: This example attempts to check if an input string is a "sentence" and is modified for Perl [REF-1164].

my $test_string = "Bad characters: \$\@\#"; my $bdrslt = $test_string; $bdrslt =~ /^(\w+\s?)*$/i;

Notes

No notes available.

← Back to CWE list