CWE-1333 Base Draft High likelihood

Inefficient Regular Expression Complexity

This vulnerability occurs when an application uses a poorly constructed regular expression that can trigger catastrophic backtracking, leading to extreme CPU consumption and potential…

Definition

What is CWE-1333?

This vulnerability occurs when an application uses a poorly constructed regular expression that can trigger catastrophic backtracking, leading to extreme CPU consumption and potential denial-of-service.
The root cause lies in how many regex engines handle failed matches through a process called backtracking. When a pattern doesn't match, the engine tries different paths by rewinding to earlier decision points. A poorly designed regex—often involving nested quantifiers (like (a+)+) or ambiguous patterns—can create an exponential number of these backtracking paths relative to the input length. Attackers exploit this by providing carefully crafted, non-matching input that forces the engine to evaluate all possible backtracking paths. This causes CPU usage to spike dramatically, potentially freezing the application or server. The risk is highest when processing user-controlled strings without complexity limits, making regex-based input validation a common attack vector for denial-of-service.
Auswirkungen in der Praxis

Real-world CVEs caused by CWE-1333

  • CVE-2020-5243

    server allows ReDOS with crafted User-Agent strings, due to overlapping capture groups that cause excessive backtracking.

  • CVE-2021-21317

    npm package for user-agent parser prone to ReDoS due to overlapping capture groups

  • CVE-2019-16215

    Markdown parser uses inefficient regex when processing a message, allowing users to cause CPU consumption and delay preventing processing of other messages.

  • CVE-2019-6785

    Long string in a version control product allows DoS due to an inefficient regex.

  • CVE-2019-12041

    Javascript code allows ReDoS via a long string due to excessive backtracking.

  • CVE-2015-8315

    ReDoS when parsing time.

  • CVE-2015-8854

    ReDoS when parsing documents.

  • CVE-2017-16021

    ReDoS when validating URL.

Wie Angreifer es ausnutzen

Angreiferpfad Schritt für Schritt

  1. 1

    This example attempts to check if an input string is a "sentence" [REF-1164].

  2. 2

    The regular expression has a vulnerable backtracking clause inside (\w+\s?)*$ which can be triggered to cause a Denial of Service by processing particular phrases. To fix the backtracking problem, backtracking is removed with the ?= portion of the expression which changes it to a lookahead and the \2 which prevents the backtracking. The modified example is:

  3. 3

    Note that [REF-1164] has a more thorough (and lengthy) explanation of everything going on within the RegEx.

  4. 4

    This example attempts to check if an input string is a "sentence" and is modified for Perl [REF-1164].

  5. 5

    The regular expression has a vulnerable backtracking clause inside (\w+\s?)*$ which can be triggered to cause a Denial of Service by processing particular phrases. To fix the backtracking problem, backtracking is removed with the ?= portion of the expression which changes it to a lookahead and the \2 which prevents the backtracking. The modified example is:

Verwundbares Codebeispiel

Vulnerable JavaScript

This example attempts to check if an input string is a "sentence" [REF-1164].

Verwundbar JavaScript 
var test_string = "Bad characters: $@#";
 var bad_pattern = /^(\w+\s?)*$/i;
 var result = test_string.search(bad_pattern);
Sicheres Codebeispiel

Secure JavaScript

The regular expression has a vulnerable backtracking clause inside (\w+\s?)*$ which can be triggered to cause a Denial of Service by processing particular phrases. To fix the backtracking problem, backtracking is removed with the ?= portion of the expression which changes it to a lookahead and the \2 which prevents the backtracking. The modified example is:

Sicher JavaScript 
var test_string = "Bad characters: $@#";
 var good_pattern = /^((?=(\w+))\2\s?)*$/i;
 var result = test_string.search(good_pattern);
What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.
Präventions-Checkliste

How to prevent CWE-1333

  • Architecture and Design Use regular expressions that do not support backtracking, e.g. by removing nested quantifiers.
  • System Configuration Set backtracking limits in the configuration of the regular expression implementation, such as PHP's pcre.backtrack_limit. Also consider limits on execution time for the process.
  • Implementation Do not use regular expressions with untrusted input. If regular expressions must be used, avoid using backtracking in the expression.
  • Implementation Limit the length of the input that the regular expression will process.
Erkennungssignale

How to detect CWE-1333

SAST High

Führe statische Analyse (SAST) auf der Codebasis aus und suche im Datenfluss nach dem unsicheren Muster.

DAST Moderate

Führe dynamische Application-Security-Tests gegen den Live-Endpoint aus.

Runtime Moderate

Beobachte Runtime-Logs auf ungewöhnliche Exception-Traces, fehlerhafte Eingaben oder Versuche, Autorisierung zu umgehen.

Code review Moderate

Code Review: Markiere jeden neuen Code, der Eingaben von dieser Oberfläche ohne validierte Framework-Helper verarbeitet.

Plexicus Auto-Fix

Plexicus erkennt CWE-1333 automatisch und öffnet in unter 60 Sekunden einen Fix-PR.

Codex Remedium scannt jeden Commit, identifiziert genau diese Schwachstelle und liefert einen reviewer-ready Pull Request mit dem Patch. Keine Tickets. Keine Hand-offs.

Demo anfordern Plexicus kostenlos testen
Häufig gestellte Fragen

Frequently asked questions

Was ist CWE-1333?

This vulnerability occurs when an application uses a poorly constructed regular expression that can trigger catastrophic backtracking, leading to extreme CPU consumption and potential denial-of-service.

Wie gravierend ist CWE-1333?

MITRE stuft die Exploit-Wahrscheinlichkeit als hoch ein — diese Schwachstelle wird aktiv in freier Wildbahn ausgenutzt und sollte priorisiert behoben werden.

Welche Sprachen oder Plattformen sind von CWE-1333 betroffen?

MITRE hat für diese CWE keine betroffenen Plattformen spezifiziert — sie kann in den meisten Anwendungs-Stacks auftreten.

Wie kann ich CWE-1333 verhindern?

Use regular expressions that do not support backtracking, e.g. by removing nested quantifiers. Set backtracking limits in the configuration of the regular expression implementation, such as PHP's pcre.backtrack_limit. Also consider limits on execution time for the process.

Wie erkennt und behebt Plexicus CWE-1333?

Die SAST-Engine von Plexicus erkennt die Datenfluss-Signatur von CWE-1333 bei jedem Commit. Bei einem Treffer öffnet unser Codex-Remedium-Agent einen Fix-PR mit korrigiertem Code, Tests und einer einzeiligen Zusammenfassung für den Reviewer.

Wo erfahre ich mehr über CWE-1333?

MITRE veröffentlicht die kanonische Definition unter https://cwe.mitre.org/data/definitions/1333.html. Für ergänzende Hinweise kannst du auch die OWASP- und NIST-Dokumentation heranziehen.

Verwandte Schwachstellen

Weaknesses related to CWE-1333

CWE-407 Parent

Inefficient Algorithmic Complexity

This vulnerability occurs when a software component uses an algorithm with poor worst-case performance. An attacker can exploit this by…

Ressourcen

Further reading

Bereit, wenn du es bist

Schluss mit dem Bezahlen pro Entwickler.
Schließ den Kreislauf.

Plexicus ist die KI-native ASPM, die scannt, filtert, fixt, pentestet und erklärt — autonom. Unbegrenzte Entwickler, unbegrenzte Repos, Fair-Use-KI-Aktionen. Echter kostenloser Tarif, €269/mo jährlich, wenn du bereit bist.

Kostenlos starten Demo buchen