How to Fix Catastrophic Regex Backtracking and ReDoS Vulnerabilities in JavaScript
Threat/Impact Level: CRITICAL | Exploitability/Downtime Risk: HIGH | Time to Fix: 15 mins
TL;DR
- What broke: A malicious or malformed input string is triggering exponential backtracking in your regex engine, exhausting the V8 call stack and locking the Node.js event loop — hard crash,
RangeError: Maximum call stack size exceeded. - How to fix it: Eliminate nested quantifiers and overlapping alternation. Rewrite using atomic groups, possessive quantifiers (via
(?:...)++in supported engines), or replace with a linear-time parser. - Shortcut: Use our Client-Side Sandbox below to auto-refactor this — paste your regex, get a hardened replacement without sending your pattern to any external server.
The Incident (What Does the Error Mean?)
You'll see this in your logs or crash dump:
RangeError: Maximum call stack size exceeded
at RegExp.exec (<anonymous>)
at String.match (<anonymous>)
at validateInput (/app/src/utils/parser.js:42:18)
The Node.js V8 engine's regex implementation uses a recursive backtracking NFA (Non-deterministic Finite Automaton). When your pattern contains ambiguous paths — typically nested quantifiers like (a+)+ or overlapping alternation like (a|aa)+ — and the input string doesn't match, the engine exhaustively tries every possible combination before failing. On a 30-character crafted string, this can mean billions of recursive calls. The call stack overflows. The event loop is blocked. Every concurrent request queues behind it. Your service is down.
This is not a theoretical risk. ReDoS has taken down Cloudflare (2019, 6-minute global outage), Stack Overflow (2016), and countless Node.js APIs running unvalidated user input through vulnerable patterns.
The Attack Vector / Blast Radius
ReDoS is trivially exploitable with zero authentication required. Any endpoint that accepts user-controlled strings and runs them through a vulnerable regex is the attack surface.
Attack mechanics:
- Attacker identifies an input field (email validator, URL parser, username field, search query).
- Sends a crafted string: e.g.,
aaaaaaaaaaaaaaaaaaaaaaaaaaabagainst pattern^(a+)+$. - Each additional character doubles the backtracking work. 30 chars = ~1 billion steps.
- Single-threaded Node.js event loop is fully blocked. No other requests are served.
- With 5-10 concurrent malicious requests, your service is effectively DDoS'd with zero network bandwidth cost to the attacker.
Blast radius in a microservices architecture:
- If the vulnerable service sits behind an API Gateway without per-route timeouts, the gateway's connection pool exhausts.
- Upstream services waiting on responses time out, triggering their own retry storms.
- A single unprotected regex validator can cascade into a full cluster brownout.
How to Fix It (The Solution)
Basic Fix — Eliminate Nested Quantifiers
The most common offender pattern:
- const emailRegex = /^([a-zA-Z0-9]+)*@([a-zA-Z0-9]+\.)+[a-zA-Z]{2,}$/;
+ const emailRegex = /^[a-zA-Z0-9]+@[a-zA-Z0-9]+(?:\.[a-zA-Z0-9]+)*\.[a-zA-Z]{2,}$/;
What changed: Removed the wrapping group with * quantifier around an already-quantified character class. The rewritten pattern is unambiguous — there is exactly one way to match each position.
Enterprise Best Practice — Timeout Wrapper + Static Analysis Gate
Never trust regex safety by inspection alone. Wrap all user-input regex execution with a hard timeout and enforce static analysis in your pipeline.
- function validateInput(input) {
- return /^(a+)+$/.test(input);
- }
+ import { withTimeout } from 'promise-timeout';
+ import RE2 from 're2'; // Google's RE2 — linear time guaranteed, no backtracking
+
+ function validateInput(input) {
+ // RE2 rejects catastrophic patterns at compile time
+ const safeRegex = new RE2(/^a+$/);
+ return safeRegex.test(input);
+ }
+
+ // For cases where RE2 syntax coverage is insufficient:
+ async function validateInputWithTimeout(input) {
+ return withTimeout(
+ Promise.resolve().then(() => /^[a-z]+$/.test(input)),
+ 50 // 50ms hard ceiling — tune per SLA
+ );
+ }
re2 (npm) compiles to Google's RE2 C++ library via N-API. It structurally prohibits backtracking — catastrophic patterns throw at instantiation, not at match time. This is the correct production-grade solution for any Node.js service processing untrusted input.
💡 Tired of pasting proprietary configs into ChatGPT? Generic AI tools log your company's ARNs, DB strings, and private keys. StackEngine is a zero-backend, pure Client-Side WASM utility. Drop your failing config into the sandbox above. We redact your secrets locally in the browser and auto-generate the refactored code using your own API key.
Prevention in CI/CD
ReDoS vulnerabilities should never reach production. Gate them at commit time.
1. vuln-regex-detector / safe-regex (npm) in pre-commit hooks:
- # No regex linting in pre-commit config
+ # .pre-commit-config.yaml
+ repos:
+ - repo: local
+ hooks:
+ - id: safe-regex-check
+ name: ReDoS Static Analysis
+ entry: npx safe-regex-cli --pattern-file src/
+ language: node
+ pass_filenames: false
2. ESLint plugin — eslint-plugin-regexp:
- // .eslintrc.js — no regex rules
+ // .eslintrc.js
+ module.exports = {
+ plugins: ['regexp'],
+ rules: {
+ 'regexp/no-super-linear-backtracking': 'error',
+ 'regexp/no-obscure-range': 'error',
+ 'regexp/optimal-quantifier-concatenation': 'warn'
+ }
+ };
3. Semgrep rule in your GitHub Actions pipeline:
+ # .github/workflows/sast.yml
+ - name: Semgrep ReDoS Scan
+ uses: returntocorp/semgrep-action@v1
+ with:
+ config: p/redos
4. Runtime enforcement — set --max-old-space-size and use a reverse proxy (Nginx/Envoy) with strict request timeouts upstream of your Node process. A 100ms upstream timeout kills the blocked event loop request before it starves the worker pool.
The layered defense: static analysis at commit → SAST in CI → RE2 in runtime → timeout at proxy. Any one of these stops a ReDoS incident. All four mean you never page at 3am for a regex.