Inefficient Regular Expression Complexity

CWE-1333

Overtime trend (NVD)

CVSS severity (NVD, All Time)

Per technology (GHSA, All time)

53%-NPM
20%-RubyGems
14%-Pip
11%-Others

Short description

The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.

Extended description

Some regular expression engines have a feature called "backtracking". If the token cannot match, the engine "backtracks" to a position that may result in a different token that can match.Backtracking becomes a weakness if all of these conditions are met:

The number of possible backtracking attempts are exponential relative to the length of the input.
The input can fail to match the regular expression.
The input can be long enough.

Best practices to prevent this CWE

Phase: Architecture and Design

Use regular expressions that do not support backtracking, e.g. by removing nested quantifiers.

Effectiveness: High

Phase: System Configuration

Set backtracking limits in the configuration of the regular expression implementation, such as PHP's pcre.backtrack_limit. Also consider limits on execution time for the process.

Effectiveness: Moderate

Phase: Implementation

Do not use regular expressions with untrusted input. If regular expressions must be used, avoid using backtracking in the expression.

Effectiveness: High

Phase: Implementation

Limit the length of the input that the regular expression will process.

Effectiveness: Moderate

Recently published CVEs

CVE-2024-21538
CVE-2024-49761
CVE-2024-50574
CVE-2020-26311
CVE-2020-26310

Recently published GHSA

GHSA-wq8x-cg39-8mrr
GHSA-j3x3-r585-4qhg
GHSA-7q7g-4xm8-89cq
GHSA-pjwm-cr36-mwv3
GHSA-3xgq-45jj-v275

Prioritize and Uncover Reachable Vulnerabilities in Your Application Code

Identify externally reachable data flows and vulnerabilities for effective risk mitigation

Get a Demo