dkduckkit.dev

ReDoS Vulnerability Tester

Analyze JavaScript-style regex for catastrophic backtracking: scores from redos-detector, static heuristics, evil inputs, and bounded timing.

Last updated: March 2026

TL;DR

Combines redos-detector scoring with static CWE-1333-style heuristics, evil-input samples, and capped main-thread timing so you can see backtracking risk before shipping regex over untrusted input.

Formula: Risk ≈ max(static ambiguity signals, library score); validate with generated mismatching suffix and timing vs input length.

When to use this

  • Reviewing user-supplied filters, validators, or WAF-style rules in JavaScript engines.
  • Triaging suspicious nested quantifiers after lint noise or production latency spikes.

Regex

//

Pattern without slashes. Flags: g, i, m, s, u, y

Quick examples

Results

Enter a regex and click Analyze

What is ReDoS?

Regular Expression Denial of Service (ReDoS) happens when a regex engine spends excessive time backtracking on crafted input. Engines based on non-deterministic finite automata with backtracking (including JavaScript's RegExp) can exhibit exponential or very steep polynomial time on ambiguous patterns such as nested quantifiers or overlapping alternation.

Vulnerable patterns to watch

Classic examples include nested (a+)+, overlapping branches like (a|aa)+, and adjacent quantifiers over overlapping character classes (for example \d+\d+ or \s+\s+) where the engine can split the same span in many ways before failing a later constraint.

Real-world incidents

Cloudflare, July 2019: a complex WAF regex led to catastrophic backtracking on certain payloads and contributed to a major global outage. The incident underscored how a single ambiguous pattern at the edge can amplify into wide impact.

Cloudflare, November 2025: a lengthy partial outage was not caused by ReDoS — a configuration file grew past a hard-coded limit after duplicated rows from a database change. It still illustrates fail-closed concerns: systems that process externally influenced data without strict bounds can fall over from size or complexity whether the trigger is regex, configuration, or payload shape.

Stack Overflow, July 2016: a ReDoS in markdown trimming regex caused a partial outage, showing that even "simple" string cleanup can be dangerous on adversarial Unicode and whitespace.

How to fix or mitigate

  1. Rewrite the pattern to remove nested quantifiers and ambiguous splits. Example: prefer \w+(?:\s+\w+)* over (\w+\s*)+.
  2. Atomic-style matching in JS via the regex npm package (lookahead emulation). Native (?>...) groups are not in standard JavaScript yet (TC39 Stage 1 as of 2026); Java, PCRE, Python 3.11+, and .NET may offer native equivalents.
  3. Linear-time engines for critical paths: RE2 (Node re2, Go, google-re2 in Python), Rust's regex crate — typically no backreferences or lookarounds.
  4. Cap untrusted input length before matching; bound work even when the pattern is imperfect.

Further reading: OWASP ReDoS.

Related tools