Javascript Redos Vulnerable Regex
Description
Detects potential Regular Expression Denial of Service (ReDoS) vulnerabilities in JavaScript code where user-controlled input is used with regex test operations. These vulnerabilities can lead to application unresponsiveness or crashes when malicious input triggers catastrophic backtracking in regex pattern matching.
Detection Strategy
• Look for .test method calls on regular expressions in JavaScript code
• Check if the regular expression pattern contains potentially unsafe constructs (like nested quantifiers or complex groupings)
• Identify if the tested string comes from user-controlled input sources
• Report a vulnerability when both an unsafe regex pattern and user-controlled input are used together in a test operation
Vulnerable code example
function validateEmail(email) {
// Vulnerable: Regex pattern susceptible to ReDoS due to nested quantifiers
const emailRegex = /^\w+([\.-]?\w+)*@\w+([\.-]?\w+)*(\.\w{2,3})+$/;
return emailRegex.test(email);
}
// Example usage
const result = validateEmail("test@example.com");✅ Secure code example
function validateEmail(email) {
// Safe: Simple regex pattern without nested quantifiers to prevent ReDoS
const emailRegex = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
return emailRegex.test(email);
}
// Example usage
const result = validateEmail("test@example.com");Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.