CWE-1333 Base Brouillon High likelihood

Inefficient Regular Expression Complexity

This vulnerability occurs when an application uses a poorly constructed regular expression that can trigger catastrophic backtracking, leading to extreme CPU consumption and potential…

Définition

What is CWE-1333?

This vulnerability occurs when an application uses a poorly constructed regular expression that can trigger catastrophic backtracking, leading to extreme CPU consumption and potential denial-of-service.
The root cause lies in how many regex engines handle failed matches through a process called backtracking. When a pattern doesn't match, the engine tries different paths by rewinding to earlier decision points. A poorly designed regex—often involving nested quantifiers (like (a+)+) or ambiguous patterns—can create an exponential number of these backtracking paths relative to the input length. Attackers exploit this by providing carefully crafted, non-matching input that forces the engine to evaluate all possible backtracking paths. This causes CPU usage to spike dramatically, potentially freezing the application or server. The risk is highest when processing user-controlled strings without complexity limits, making regex-based input validation a common attack vector for denial-of-service.
Impact réel

Real-world CVEs caused by CWE-1333

  • CVE-2020-5243

    server allows ReDOS with crafted User-Agent strings, due to overlapping capture groups that cause excessive backtracking.

  • CVE-2021-21317

    npm package for user-agent parser prone to ReDoS due to overlapping capture groups

  • CVE-2019-16215

    Markdown parser uses inefficient regex when processing a message, allowing users to cause CPU consumption and delay preventing processing of other messages.

  • CVE-2019-6785

    Long string in a version control product allows DoS due to an inefficient regex.

  • CVE-2019-12041

    Javascript code allows ReDoS via a long string due to excessive backtracking.

  • CVE-2015-8315

    ReDoS when parsing time.

  • CVE-2015-8854

    ReDoS when parsing documents.

  • CVE-2017-16021

    ReDoS when validating URL.

Comment les attaquants l'exploitent

Parcours de l'attaquant étape par étape

  1. 1

    This example attempts to check if an input string is a "sentence" [REF-1164].

  2. 2

    The regular expression has a vulnerable backtracking clause inside (\w+\s?)*$ which can be triggered to cause a Denial of Service by processing particular phrases. To fix the backtracking problem, backtracking is removed with the ?= portion of the expression which changes it to a lookahead and the \2 which prevents the backtracking. The modified example is:

  3. 3

    Note that [REF-1164] has a more thorough (and lengthy) explanation of everything going on within the RegEx.

  4. 4

    This example attempts to check if an input string is a "sentence" and is modified for Perl [REF-1164].

  5. 5

    The regular expression has a vulnerable backtracking clause inside (\w+\s?)*$ which can be triggered to cause a Denial of Service by processing particular phrases. To fix the backtracking problem, backtracking is removed with the ?= portion of the expression which changes it to a lookahead and the \2 which prevents the backtracking. The modified example is:

Exemple de code vulnérable

Vulnerable JavaScript

This example attempts to check if an input string is a "sentence" [REF-1164].

Vulnérable JavaScript 
var test_string = "Bad characters: $@#";
 var bad_pattern = /^(\w+\s?)*$/i;
 var result = test_string.search(bad_pattern);
Exemple de code sécurisé

Secure JavaScript

The regular expression has a vulnerable backtracking clause inside (\w+\s?)*$ which can be triggered to cause a Denial of Service by processing particular phrases. To fix the backtracking problem, backtracking is removed with the ?= portion of the expression which changes it to a lookahead and the \2 which prevents the backtracking. The modified example is:

Sécurisé JavaScript 
var test_string = "Bad characters: $@#";
 var good_pattern = /^((?=(\w+))\2\s?)*$/i;
 var result = test_string.search(good_pattern);
What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.
Liste de contrôle de prévention

How to prevent CWE-1333

  • Architecture and Design Use regular expressions that do not support backtracking, e.g. by removing nested quantifiers.
  • System Configuration Set backtracking limits in the configuration of the regular expression implementation, such as PHP's pcre.backtrack_limit. Also consider limits on execution time for the process.
  • Implementation Do not use regular expressions with untrusted input. If regular expressions must be used, avoid using backtracking in the expression.
  • Implementation Limit the length of the input that the regular expression will process.
Signaux de détection

How to detect CWE-1333

SAST High

Exécuter une analyse statique (SAST) sur le code source à la recherche du motif non sécurisé dans le flux de données.

DAST Moderate

Exécuter des tests de sécurité applicative dynamique (DAST) contre le point de terminaison en ligne.

Runtime Moderate

Surveiller les journaux runtime pour détecter des traces d'exception inhabituelles, des entrées malformées ou des tentatives de contournement d'autorisation.

Code review Moderate

Revue de code : signaler tout nouveau code qui traite les entrées de cette surface sans utiliser les helpers du framework validés.

Correction automatique Plexicus

Plexicus détecte automatiquement CWE-1333 et ouvre une PR de correction en moins de 60 secondes.

Codex Remedium analyse chaque commit, identifie cette faiblesse précise et livre une pull request prête à être relue avec le correctif. Pas de tickets. Pas de transferts.

Obtenir une démo Essayer Plexicus gratuitement
Questions fréquentes

Frequently asked questions

Qu'est-ce que CWE-1333 ?

This vulnerability occurs when an application uses a poorly constructed regular expression that can trigger catastrophic backtracking, leading to extreme CPU consumption and potential denial-of-service.

Quelle est la gravité de CWE-1333 ?

MITRE évalue la probabilité d'exploitation comme Élevée — cette faiblesse est activement exploitée et doit être priorisée pour la remédiation.

Quels langages ou plateformes sont affectés par CWE-1333 ?

MITRE n'a pas spécifié les plateformes affectées pour ce CWE — il peut s'appliquer à la plupart des stacks applicatives.

Comment puis-je prévenir CWE-1333 ?

Use regular expressions that do not support backtracking, e.g. by removing nested quantifiers. Set backtracking limits in the configuration of the regular expression implementation, such as PHP's pcre.backtrack_limit. Also consider limits on execution time for the process.

Comment Plexicus détecte et corrige CWE-1333 ?

Le moteur SAST de Plexicus reconnaît la signature de flux de données de CWE-1333 à chaque commit. Lorsqu'une correspondance est trouvée, notre agent Codex Remedium ouvre une PR de correction avec le code corrigé, les tests et un résumé d'une ligne pour le relecteur.

Où puis-je en savoir plus sur CWE-1333 ?

MITRE publie la définition canonique à https://cwe.mitre.org/data/definitions/1333.html. Vous pouvez également consulter la documentation OWASP et NIST pour des conseils adjacents.

Faiblesses associées

Weaknesses related to CWE-1333

CWE-407 Parent

Inefficient Algorithmic Complexity

This vulnerability occurs when a software component uses an algorithm with poor worst-case performance. An attacker can exploit this by…

Ressources

Further reading

Prêt quand vous l'êtes

Arrêtez de payer par développeur.
Commencez à fermer la boucle.

Plexicus est l'ASPM natif IA qui scanne, filtre, corrige, penteste et explique — de façon autonome. Développeurs illimités, dépôts illimités, actions IA à usage équitable. Vrai niveau gratuit, €269/mo annuel quand vous êtes prêt.

Commencer gratuitement Réserver une démo