ByteOS Network

CWE-1333:Inefficient Regular Expression Complexity

Weakness ID:1333

Version:v4.17

Weakness Name:Inefficient Regular Expression Complexity

Vulnerability Mapping:Allowed

Abstraction:Base

Structure:Simple

Status:Draft

Likelihood of Exploit:High

Details Content History Observed CVE Examples Reports

▼Description

The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.

▼Extended Description

Some regular expression engines have a feature called "backtracking". If the token cannot match, the engine "backtracks" to a position that may result in a different token that can match. Backtracking becomes a weakness if all of these conditions are met:

The number of possible backtracking attempts are exponential relative to the length of the input.

The input can fail to match the regular expression.

The input can be long enough.

Attackers can create crafted inputs that intentionally cause the regular expression to use excessive backtracking in a way that causes the CPU consumption to spike.

▼Alternate Terms

ReDoS

ReDoS is an abbreviation of "Regular expression Denial of Service".

Regular Expression Denial of Service

While this term is attack-focused, this is commonly used to describe the weakness.

Catastrophic backtracking

This term is used to describe the behavior of the regular expression as a negative technical impact.

▼Relationships

Relevant to the view"Research Concepts - (1000)"

Nature	Mapping	Type	ID	Name
ChildOf	Allowed-with-Review	C	407	Inefficient Algorithmic Complexity

Nature: ChildOf

Mapping: Allowed-with-Review

Type: Class

ID: 407

Name: Inefficient Algorithmic Complexity

▼Memberships

Nature	Mapping	Type	ID	Name
MemberOf	Prohibited	C	1226	Complexity Issues
MemberOf	Prohibited	C	1416	Comprehensive Categorization: Resource Lifecycle Management

Nature: MemberOf

Mapping: Prohibited

Type:Category

ID: 1226

Name: Complexity Issues

Nature: MemberOf

Mapping: Prohibited

Type:Category

ID: 1416

Name: Comprehensive Categorization: Resource Lifecycle Management

▼Tags

Nature	Mapping	Type	ID	Name
MemberOf	Prohibited	BS	BOSS-274	High likelihood of exploit
MemberOf	Prohibited	BS	BOSS-294	Not Language-Specific Weaknesses
MemberOf	Prohibited	BS	BOSS-314	DoS: Resource Consumption (CPU) (impact)

Nature: MemberOf

Mapping: Prohibited

Type:BOSSView

ID: BOSS-274

Name: High likelihood of exploit

Nature: MemberOf

Mapping: Prohibited

Type:BOSSView

ID: BOSS-294

Name: Not Language-Specific Weaknesses

Nature: MemberOf

Mapping: Prohibited

Type:BOSSView

ID: BOSS-314

Name: DoS: Resource Consumption (CPU) (impact)

▼Relevant To View

Relevant to the view"Software Development - (699)"

Nature	Mapping	Type	ID	Name
MemberOf	Prohibited	C	1226	Complexity Issues

Nature: MemberOf

Mapping: Prohibited

Type: Category

ID: 1226

Name: Complexity Issues

▼Common Consequences

Scope	Likelihood	Impact	Note
Availability	High	DoS: Resource Consumption (CPU)	N/A

Scope: Availability

Likelihood: High

Impact: DoS: Resource Consumption (CPU)

Note:

N/A

▼Potential Mitigations

Phase:Architecture and Design

Effectiveness: High

Description:

Use regular expressions that do not support backtracking, e.g. by removing nested quantifiers.

Note:

This is one of the few effective solutions when using user-provided regular expressions.

Phase:System Configuration

Effectiveness: Moderate

Description:

Set backtracking limits in the configuration of the regular expression implementation, such as PHP's pcre.backtrack_limit. Also consider limits on execution time for the process.

Phase:Implementation

Effectiveness: High

Description:

Do not use regular expressions with untrusted input. If regular expressions must be used, avoid using backtracking in the expression.

Phase:Implementation

Effectiveness: Moderate

Description:

Limit the length of the input that the regular expression will process.

▼Modes Of Introduction

Phase: Implementation

Note:

A RegEx can be easy to create and read using unbounded matching characters, but the programmer might not consider the risk of excessive backtracking.

▼Applicable Platforms

Languages

Class: Not Language-Specific(Undetermined Prevalence)

▼Demonstrative Examples

Example 1

This example attempts to check if an input string is a "sentence" [REF-1164].

Language: JavaScript(Bad code)

var test_string = "Bad characters: $@#"; var bad_pattern = /^(\w+\s?)*$/i; var result = test_string.search(bad_pattern);

The regular expression has a vulnerable backtracking clause inside (\w+\s?)*$ which can be triggered to cause a Denial of Service by processing particular phrases.

To fix the backtracking problem, backtracking is removed with the ?= portion of the expression which changes it to a lookahead and the \2 which prevents the backtracking. The modified example is:

Language: JavaScript(Good code)

var test_string = "Bad characters: $@#"; var good_pattern = /^((?=(\w+))\2\s?)*$/i; var result = test_string.search(good_pattern);

Note that [REF-1164] has a more thorough (and lengthy) explanation of everything going on within the RegEx.

Example 2

This example attempts to check if an input string is a "sentence" and is modified for Perl [REF-1164].

Language: Perl(Bad code)

my $test_string = "Bad characters: \$\@\#"; my $bdrslt = $test_string; $bdrslt =~ /^(\w+\s?)*$/i;

The regular expression has a vulnerable backtracking clause inside (\w+\s?)*$ which can be triggered to cause a Denial of Service by processing particular phrases.

To fix the backtracking problem, backtracking is removed with the ?= portion of the expression which changes it to a lookahead and the \2 which prevents the backtracking. The modified example is:

Language: Perl(Good code)

my $test_string = "Bad characters: \$\@\#"; my $gdrslt = $test_string; $gdrslt =~ /^((?=(\w+))\2\s?)*$/i;

Note that [REF-1164] has a more thorough (and lengthy) explanation of everything going on within the RegEx.

▼Observed Examples

Reference	Description
CVE-2020-5243	server allows ReDOS with crafted User-Agent strings, due to overlapping capture groups that cause excessive backtracking.
CVE-2021-21317	npm package for user-agent parser prone to ReDoS due to overlapping capture groups
CVE-2019-16215	Markdown parser uses inefficient regex when processing a message, allowing users to cause CPU consumption and delay preventing processing of other messages.
CVE-2019-6785	Long string in a version control product allows DoS due to an inefficient regex.
CVE-2019-12041	Javascript code allows ReDoS via a long string due to excessive backtracking.
CVE-2015-8315	ReDoS when parsing time.
CVE-2015-8854	ReDoS when parsing documents.
CVE-2017-16021	ReDoS when validating URL.

Reference: CVE-2020-5243

Description:

server allows ReDOS with crafted User-Agent strings, due to overlapping capture groups that cause excessive backtracking.

Reference: CVE-2021-21317

Description:

npm package for user-agent parser prone to ReDoS due to overlapping capture groups

Reference: CVE-2019-16215

Description:

Markdown parser uses inefficient regex when processing a message, allowing users to cause CPU consumption and delay preventing processing of other messages.

Reference: CVE-2019-6785

Description:

Long string in a version control product allows DoS due to an inefficient regex.

Reference: CVE-2019-12041

Description:

Javascript code allows ReDoS via a long string due to excessive backtracking.

Reference: CVE-2015-8315

Description:

ReDoS when parsing time.

Reference: CVE-2015-8854

Description:

ReDoS when parsing documents.

Reference: CVE-2017-16021

Description:

ReDoS when validating URL.

▼Vulnerability Mapping Notes

Usage:Allowed

Reason:Acceptable-Use

Rationale:

This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.

Comments:

Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

▼Related Attack Patterns

ID	Name
CAPEC-492	Regular Expression Exponential Blowup

ID: CAPEC-492

Name: Regular Expression Exponential Blowup

▼References

Reference ID: REF-1180

Title: Regular Expression Denial of Service

Author: Scott A. Crosby

Publication:

URL:https://web.archive.org/web/20031120114522/http://www.cs.rice.edu/~scrosby/hash/slides/USENIX-RegexpWIP.2.ppt

Day:N/A

Month:08

Year:2003

Reference ID: REF-1162

Title: Runaway Regular Expressions: Catastrophic Backtracking

Author: Jan Goyvaerts

Publication:

URL:https://www.regular-expressions.info/catastrophic.html

Day:22

Month:12

Year:2019

Reference ID: REF-1163

Title: Regular expression Denial of Service - ReDoS

Author: Adar Weidman

Publication:

URL:https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS

Day:N/A

Month:N/A

Year:N/A

Reference ID: REF-1164

Title: Catastrophic backtracking

Author: Ilya Kantor

Publication:

URL:https://javascript.info/regexp-catastrophic-backtracking

Day:13

Month:12

Year:2020

Reference ID: REF-1165

Title: Freezing the Web: A Study of ReDoS Vulnerabilities in JavaScript-based Web Servers

Author: Cristian-Alexandru Staicu, Michael Pradel

Publication:

USENIX Security Symposium

URL:https://www.usenix.org/system/files/conference/usenixsecurity18/sec18-staicu.pdf

Day:11

Month:07

Year:2018

Reference ID: REF-1166

Title: The Impact of Regular Expression Denial of Service (ReDoS) in Practice: An Empirical Study at the Ecosystem Scale

Author: James C. Davis, Christy A. Coghlan, Francisco Servant, Dongyoon Lee

Publication:

URL:https://fservant.github.io/papers/Davis_Coghlan_Servant_Lee_ESECFSE18.pdf

URL Date:2023-04-07

Day:01

Month:08

Year:2018

Reference ID: REF-1167

Title: The Regular Expression Denial of Service (ReDoS) cheat-sheet

Author: James Davis

Publication:

URL:https://levelup.gitconnected.com/the-regular-expression-denial-of-service-redos-cheat-sheet-a78d0ed7d865

Day:23

Month:05

Year:2020