logo

Inefficient Algorithmic Complexity

Incomplete Class
Structure: Simple
Description

This vulnerability occurs when a software component uses an algorithm with poor worst-case performance. An attacker can exploit this by providing specially crafted input that forces the algorithm into its slowest possible execution path, leading to severe performance degradation or denial of service.

Extended Description

At its core, this issue is about predictable resource exhaustion. Common examples include using algorithms with quadratic (O(n²)) or exponential complexity for tasks that handle user-controlled data size, like inefficient sorting or search algorithms on large, attacker-supplied inputs. When exploited, this can cause excessive CPU consumption, memory usage, or runtime delays, crippling the application's availability. Developers can mitigate this by selecting algorithms with consistent, efficient complexity (like O(n log n) for sorting) and implementing safeguards. These include setting hard limits on input size, using timeouts for operations, and switching to more performant algorithms or data structures when processing thresholds are crossed. Always profile code with worst-case input scenarios during testing.
Common Consequences 1
Scope: Availability

Impact: DoS: Resource Consumption (CPU)DoS: Resource Consumption (Memory)DoS: Resource Consumption (Other)

The typical consequence is CPU consumption, but memory consumption and consumption of other resources can also occur.
Demonstrative Examples 1

ID : DX-158

This example attempts to check if an input string is a "sentence" [REF-1164].

Code Example:

Bad
JavaScript

var test_string = "Bad characters: $@#"; var bad_pattern = /^(\w+\s?)*$/i; var result = test_string.search(bad_pattern);

The regular expression has a vulnerable backtracking clause inside (\w+\s?)*$ which can be triggered to cause a Denial of Service by processing particular phrases. To fix the backtracking problem, backtracking is removed with the ?= portion of the expression which changes it to a lookahead and the \2 which prevents the backtracking. The modified example is:

Code Example:

Good
JavaScript

var test_string = "Bad characters: $@#"; var good_pattern = /^((?=(\w+))\2\s?)*$/i; var result = test_string.search(good_pattern);

Note that [REF-1164] has a more thorough (and lengthy) explanation of everything going on within the RegEx.
Observed Examples 14
CVE-2021-32617C++ library for image metadata has "quadratic complexity" issue with unnecessarily repetitive parsing each time an invalid character is encountered
CVE-2020-10735Python has "quadratic complexity" issue when converting string to int with many digits in unexpected bases
CVE-2020-5243server allows ReDOS with crafted User-Agent strings, due to overlapping capture groups that cause excessive backtracking.
CVE-2014-1474Perl-based email address parser has "quadratic complexity" issue via a string that does not contain a valid address
CVE-2003-0244CPU consumption via inputs that cause many hash table collisions.
CVE-2003-0364CPU consumption via inputs that cause many hash table collisions.
CVE-2002-1203Product performs unnecessary processing before dropping an invalid packet.
CVE-2001-1501CPU and memory consumption using many wildcards.
CVE-2004-2527Product allows attackers to cause multiple copies of a program to be loaded more quickly than the program can detect that other copies are running, then exit. This type of error should probably have its own category, where teardown takes more time than initialization.
CVE-2006-6931Network monitoring system allows remote attackers to cause a denial of service (CPU consumption and detection outage) via crafted network traffic, aka a "backtracking attack."
CVE-2006-3380Wiki allows remote attackers to cause a denial of service (CPU consumption) by performing a diff between large, crafted pages that trigger the worst case algorithmic complexity.
CVE-2006-3379Wiki allows remote attackers to cause a denial of service (CPU consumption) by performing a diff between large, crafted pages that trigger the worst case algorithmic complexity.
CVE-2005-2506OS allows attackers to cause a denial of service (CPU consumption) via crafted Gregorian dates.
CVE-2005-1792Memory leak by performing actions faster than the software can clear them.
References 2
Algorithmic Complexity Attacks
Scott A. Crosby and Dan S. Wallach
Proceedings of the 12th USENIX Security Symposium
08-2003
https://www.usenix.org/legacy/events/sec03/tech/full_papers/crosby/crosby.pdf
ID: REF-395
Catastrophic backtracking
Ilya Kantor
13-12-2020
https://javascript.info/regexp-catastrophic-backtracking
ID: REF-1164
Likelihood of Exploit

Low

Applicable Platforms
Languages:
Not Language-Specific : Undetermined
Modes of Introduction
Architecture and Design
Implementation
Alternate Terms

Quadratic Complexity

Used when the algorithmic complexity is related to the square of the number of inputs (N^2)
Functional Areas
  1. Cryptography
Related Weaknesses
ChildOf: Asymmetric Resource Consumption (Amplification) (CWE-405)
Taxonomy Mapping
  • PLOVER