CWE-1333 Base Borrador High likelihood

Inefficient Regular Expression Complexity

This vulnerability occurs when an application uses a poorly constructed regular expression that can trigger catastrophic backtracking, leading to extreme CPU consumption and potential…

Definición

What is CWE-1333?

This vulnerability occurs when an application uses a poorly constructed regular expression that can trigger catastrophic backtracking, leading to extreme CPU consumption and potential denial-of-service.
The root cause lies in how many regex engines handle failed matches through a process called backtracking. When a pattern doesn't match, the engine tries different paths by rewinding to earlier decision points. A poorly designed regex—often involving nested quantifiers (like (a+)+) or ambiguous patterns—can create an exponential number of these backtracking paths relative to the input length. Attackers exploit this by providing carefully crafted, non-matching input that forces the engine to evaluate all possible backtracking paths. This causes CPU usage to spike dramatically, potentially freezing the application or server. The risk is highest when processing user-controlled strings without complexity limits, making regex-based input validation a common attack vector for denial-of-service.
Impacto en el mundo real

Real-world CVEs caused by CWE-1333

  • CVE-2020-5243

    server allows ReDOS with crafted User-Agent strings, due to overlapping capture groups that cause excessive backtracking.

  • CVE-2021-21317

    npm package for user-agent parser prone to ReDoS due to overlapping capture groups

  • CVE-2019-16215

    Markdown parser uses inefficient regex when processing a message, allowing users to cause CPU consumption and delay preventing processing of other messages.

  • CVE-2019-6785

    Long string in a version control product allows DoS due to an inefficient regex.

  • CVE-2019-12041

    Javascript code allows ReDoS via a long string due to excessive backtracking.

  • CVE-2015-8315

    ReDoS when parsing time.

  • CVE-2015-8854

    ReDoS when parsing documents.

  • CVE-2017-16021

    ReDoS when validating URL.

Cómo lo explotan los atacantes

Ruta del atacante paso a paso

  1. 1

    This example attempts to check if an input string is a "sentence" [REF-1164].

  2. 2

    The regular expression has a vulnerable backtracking clause inside (\w+\s?)*$ which can be triggered to cause a Denial of Service by processing particular phrases. To fix the backtracking problem, backtracking is removed with the ?= portion of the expression which changes it to a lookahead and the \2 which prevents the backtracking. The modified example is:

  3. 3

    Note that [REF-1164] has a more thorough (and lengthy) explanation of everything going on within the RegEx.

  4. 4

    This example attempts to check if an input string is a "sentence" and is modified for Perl [REF-1164].

  5. 5

    The regular expression has a vulnerable backtracking clause inside (\w+\s?)*$ which can be triggered to cause a Denial of Service by processing particular phrases. To fix the backtracking problem, backtracking is removed with the ?= portion of the expression which changes it to a lookahead and the \2 which prevents the backtracking. The modified example is:

Ejemplo de código vulnerable

Vulnerable JavaScript

This example attempts to check if an input string is a "sentence" [REF-1164].

Vulnerable JavaScript 
var test_string = "Bad characters: $@#";
 var bad_pattern = /^(\w+\s?)*$/i;
 var result = test_string.search(bad_pattern);
Ejemplo de código seguro

Secure JavaScript

The regular expression has a vulnerable backtracking clause inside (\w+\s?)*$ which can be triggered to cause a Denial of Service by processing particular phrases. To fix the backtracking problem, backtracking is removed with the ?= portion of the expression which changes it to a lookahead and the \2 which prevents the backtracking. The modified example is:

Seguro JavaScript 
var test_string = "Bad characters: $@#";
 var good_pattern = /^((?=(\w+))\2\s?)*$/i;
 var result = test_string.search(good_pattern);
What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.
Lista de prevención

How to prevent CWE-1333

  • Architecture and Design Use regular expressions that do not support backtracking, e.g. by removing nested quantifiers.
  • System Configuration Set backtracking limits in the configuration of the regular expression implementation, such as PHP's pcre.backtrack_limit. Also consider limits on execution time for the process.
  • Implementation Do not use regular expressions with untrusted input. If regular expressions must be used, avoid using backtracking in the expression.
  • Implementation Limit the length of the input that the regular expression will process.
Señales de detección

How to detect CWE-1333

SAST High

Ejecuta análisis estático (SAST) sobre el código buscando el patrón inseguro en el flujo de datos.

DAST Moderate

Ejecuta pruebas dinámicas de seguridad de aplicaciones (DAST) contra el endpoint en vivo.

Runtime Moderate

Vigila los logs en tiempo de ejecución para detectar trazas de excepción inusuales, entradas malformadas o intentos de bypass de autorización.

Code review Moderate

Revisión de código: marca cualquier código nuevo que maneje entrada desde esta superficie sin usar los helpers validados del framework.

Auto-corrección de Plexicus

Plexicus detecta automáticamente CWE-1333 y abre un PR de corrección en menos de 60 segundos.

Codex Remedium escanea cada commit, identifica esta debilidad concreta y entrega un pull request listo para revisión con el parche. Sin tickets. Sin traspasos.

Solicitar demo Probar Plexicus gratis
Preguntas frecuentes

Frequently asked questions

¿Qué es CWE-1333?

This vulnerability occurs when an application uses a poorly constructed regular expression that can trigger catastrophic backtracking, leading to extreme CPU consumption and potential denial-of-service.

¿Qué gravedad tiene CWE-1333?

MITRE califica la probabilidad de explotación como Alta — esta debilidad se explota activamente en la práctica y debe priorizarse para su remediación.

¿Qué lenguajes o plataformas se ven afectados por CWE-1333?

MITRE no ha especificado plataformas afectadas para esta CWE — puede aplicar a la mayoría de los stacks de aplicaciones.

¿Cómo puedo prevenir CWE-1333?

Use regular expressions that do not support backtracking, e.g. by removing nested quantifiers. Set backtracking limits in the configuration of the regular expression implementation, such as PHP's pcre.backtrack_limit. Also consider limits on execution time for the process.

¿Cómo detecta y corrige Plexicus CWE-1333?

El motor SAST de Plexicus detecta la firma de flujo de datos para CWE-1333 en cada commit. Cuando hay coincidencia, nuestro agente Codex Remedium abre un PR de corrección con el código corregido, las pruebas y un resumen de una línea para el revisor.

¿Dónde puedo aprender más sobre CWE-1333?

MITRE publica la definición canónica en https://cwe.mitre.org/data/definitions/1333.html. También puedes consultar la documentación de OWASP y NIST para guías relacionadas.

Debilidades relacionadas

Weaknesses related to CWE-1333

CWE-407 Padre

Inefficient Algorithmic Complexity

This vulnerability occurs when a software component uses an algorithm with poor worst-case performance. An attacker can exploit this by…

Recursos

Further reading

Listo cuando tú lo estés

Deja de pagar por desarrollador.
Empieza a cerrar el bucle.

Plexicus es el ASPM nativo de IA que escanea, filtra, corrige, pentestea y explica — de forma autónoma. Desarrolladores ilimitados, repos ilimitados, acciones de IA de uso justo. Nivel gratuito real, €269/mo anual cuando estés listo.

Comenzar gratis Reservar una demo