CWE-1333 Base Rascunho High likelihood

Inefficient Regular Expression Complexity

This vulnerability occurs when an application uses a poorly constructed regular expression that can trigger catastrophic backtracking, leading to extreme CPU consumption and potential…

Definição

What is CWE-1333?

This vulnerability occurs when an application uses a poorly constructed regular expression that can trigger catastrophic backtracking, leading to extreme CPU consumption and potential denial-of-service.
The root cause lies in how many regex engines handle failed matches through a process called backtracking. When a pattern doesn't match, the engine tries different paths by rewinding to earlier decision points. A poorly designed regex—often involving nested quantifiers (like (a+)+) or ambiguous patterns—can create an exponential number of these backtracking paths relative to the input length. Attackers exploit this by providing carefully crafted, non-matching input that forces the engine to evaluate all possible backtracking paths. This causes CPU usage to spike dramatically, potentially freezing the application or server. The risk is highest when processing user-controlled strings without complexity limits, making regex-based input validation a common attack vector for denial-of-service.
Impacto no mundo real

Real-world CVEs caused by CWE-1333

  • CVE-2020-5243

    server allows ReDOS with crafted User-Agent strings, due to overlapping capture groups that cause excessive backtracking.

  • CVE-2021-21317

    npm package for user-agent parser prone to ReDoS due to overlapping capture groups

  • CVE-2019-16215

    Markdown parser uses inefficient regex when processing a message, allowing users to cause CPU consumption and delay preventing processing of other messages.

  • CVE-2019-6785

    Long string in a version control product allows DoS due to an inefficient regex.

  • CVE-2019-12041

    Javascript code allows ReDoS via a long string due to excessive backtracking.

  • CVE-2015-8315

    ReDoS when parsing time.

  • CVE-2015-8854

    ReDoS when parsing documents.

  • CVE-2017-16021

    ReDoS when validating URL.

Como os atacantes a exploram

Trajeto do atacante passo a passo

  1. 1

    This example attempts to check if an input string is a "sentence" [REF-1164].

  2. 2

    The regular expression has a vulnerable backtracking clause inside (\w+\s?)*$ which can be triggered to cause a Denial of Service by processing particular phrases. To fix the backtracking problem, backtracking is removed with the ?= portion of the expression which changes it to a lookahead and the \2 which prevents the backtracking. The modified example is:

  3. 3

    Note that [REF-1164] has a more thorough (and lengthy) explanation of everything going on within the RegEx.

  4. 4

    This example attempts to check if an input string is a "sentence" and is modified for Perl [REF-1164].

  5. 5

    The regular expression has a vulnerable backtracking clause inside (\w+\s?)*$ which can be triggered to cause a Denial of Service by processing particular phrases. To fix the backtracking problem, backtracking is removed with the ?= portion of the expression which changes it to a lookahead and the \2 which prevents the backtracking. The modified example is:

Exemplo de código vulnerável

Vulnerable JavaScript

This example attempts to check if an input string is a "sentence" [REF-1164].

Vulnerável JavaScript 
var test_string = "Bad characters: $@#";
 var bad_pattern = /^(\w+\s?)*$/i;
 var result = test_string.search(bad_pattern);
Exemplo de código seguro

Secure JavaScript

The regular expression has a vulnerable backtracking clause inside (\w+\s?)*$ which can be triggered to cause a Denial of Service by processing particular phrases. To fix the backtracking problem, backtracking is removed with the ?= portion of the expression which changes it to a lookahead and the \2 which prevents the backtracking. The modified example is:

Seguro JavaScript 
var test_string = "Bad characters: $@#";
 var good_pattern = /^((?=(\w+))\2\s?)*$/i;
 var result = test_string.search(good_pattern);
What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.
Lista de verificação de prevenção

How to prevent CWE-1333

  • Architecture and Design Use regular expressions that do not support backtracking, e.g. by removing nested quantifiers.
  • System Configuration Set backtracking limits in the configuration of the regular expression implementation, such as PHP's pcre.backtrack_limit. Also consider limits on execution time for the process.
  • Implementation Do not use regular expressions with untrusted input. If regular expressions must be used, avoid using backtracking in the expression.
  • Implementation Limit the length of the input that the regular expression will process.
Sinais de deteção

How to detect CWE-1333

SAST High

Executar análise estática (SAST) na base de código à procura do padrão inseguro no fluxo de dados.

DAST Moderate

Executar testes dinâmicos de segurança de aplicações (DAST) contra o endpoint em execução.

Runtime Moderate

Monitorizar os registos em tempo de execução para traços de exceção invulgares, input malformado ou tentativas de contornar a autorização.

Code review Moderate

Revisão de código: sinalizar qualquer novo código que trate input desta superfície sem usar os ajudantes validados do framework.

Correção automática do Plexicus

O Plexicus deteta automaticamente o CWE-1333 e abre um PR de correção em menos de 60 segundos.

O Codex Remedium analisa cada commit, identifica esta fraqueza exata e entrega um pull request pronto para revisão com o patch. Sem tickets. Sem transferências.

Obter uma demonstração Experimente o Plexicus gratuitamente
Perguntas frequentes

Frequently asked questions

O que é o CWE-1333?

This vulnerability occurs when an application uses a poorly constructed regular expression that can trigger catastrophic backtracking, leading to extreme CPU consumption and potential denial-of-service.

Qual a gravidade do CWE-1333?

A MITRE classifica a probabilidade de exploração como Alta — esta fraqueza é ativamente explorada em campo e deve ser priorizada para remediação.

Que linguagens ou plataformas são afetadas pelo CWE-1333?

A MITRE não especificou as plataformas afetadas por este CWE — pode aplicar-se à maioria das stacks de aplicações.

Como posso prevenir o CWE-1333?

Use regular expressions that do not support backtracking, e.g. by removing nested quantifiers. Set backtracking limits in the configuration of the regular expression implementation, such as PHP's pcre.backtrack_limit. Also consider limits on execution time for the process.

Como é que o Plexicus deteta e corrige o CWE-1333?

O motor SAST do Plexicus correlaciona a assinatura de fluxo de dados do CWE-1333 em cada commit. Quando é encontrada uma correspondência, o nosso agente Codex Remedium abre um PR de correção com o código corrigido, testes e um resumo de uma linha para o revisor.

Onde posso saber mais sobre o CWE-1333?

A MITRE publica a definição canónica em https://cwe.mitre.org/data/definitions/1333.html. Pode também consultar a documentação da OWASP e do NIST para orientações adjacentes.

Fraquezas relacionadas

Weaknesses related to CWE-1333

CWE-407 Pai

Inefficient Algorithmic Complexity

This vulnerability occurs when a software component uses an algorithm with poor worst-case performance. An attacker can exploit this by…

Recursos

Further reading

Pronto quando você estiver

Pare de pagar por desenvolvedor.
Comece a fechar o ciclo.

O Plexicus é o ASPM nativo de IA que verifica, filtra, corrige, pentesta e explica — de forma autónoma. Programadores ilimitados, repos ilimitados, ações de IA de utilização justa. Nível gratuito real, €269/mo anual quando estiver pronto.

Começar grátis Reservar uma demo