CWE-1333 ReDoS (Regular Expression Denial of Service)

Description

ReDoS (Regular Expression Denial of Service)

Reference: https://cwe.mitre.org/data/definitions/1333.html

OWASP Category: A03:2021 – Injection

---

Vulnerable Pattern

❌ Example 1: Vulnerable Pattern

// VULNERABLE: Catastrophic backtracking
Pattern emailPattern = Pattern.compile("^([a-zA-Z0-9]+)+@[a-zA-Z0-9]+$");
Pattern nested = Pattern.compile("(a+)+b");  // Nested quantifiers

// User input matched against evil pattern
String userInput = request.getParameter("text");
if (userInput.matches("^(([a-z])+.)+[A-Z]([a-z])+$")) {
    // Process
}

Why it's vulnerable: This pattern is vulnerable to ReDoS (Regular Expression Denial of Service)

---

Deterministic Fix

✅ Secure Implementation: Secure Implementation

// SECURE: Use possessive quantifiers or atomic groups
// Option 1: Possessive quantifiers (no backtracking)
Pattern emailPattern = Pattern.compile("^[a-zA-Z0-9]++@[a-zA-Z0-9]++$");

// Option 2: Atomic groups
Pattern safePattern = Pattern.compile("^(?>[a-zA-Z0-9]+)@(?>[a-zA-Z0-9]+)$");

// Option 3: Timeout with interruptible matching
ExecutorService executor = Executors.newSingleThreadExecutor();
Future<Boolean> future = executor.submit(() ->
    pattern.matcher(userInput).matches()
);
try {
    boolean result = future.get(100, TimeUnit.MILLISECONDS);
} catch (TimeoutException e) {
    future.cancel(true);
    throw new IllegalArgumentException("Pattern match timeout");
}

Why it's secure: Implements proper protection against ReDoS (Regular Expression Denial of Service)

---

Detection Pattern

Look for these patterns in your codebase:

# Find nested quantifier patterns
grep -rn "Pattern.compile" --include="*.java" | grep -E "\\+\\)\\+|\\*\\)\\*"

---

Remediation Steps

1. Avoid nested quantifiers like (a+)+

2. Use possessive quantifiers (++) when possible

3. Implement timeout for regex matching

4. Validate input length before regex matching

---

Key Imports

import java.util.regex.Pattern;

import java.util.concurrent.ExecutorService;

---

Verification

After remediation:

• Run SAST scanner to confirm vulnerability is resolved

• Review all instances of the vulnerable pattern

• Add unit tests that verify the secure implementation

• Check for similar patterns in related code

---

Trigger Examples

Fix CWE-1333 vulnerability
Resolve ReDoS (Regular Expression Denial of Service) issue
Secure this Java code against redos (regular expression denial of service)
SAST reports CWE-1333

---

Common Vulnerable Locations

Layer	Files	Patterns

| Controller | *Controller.java | User input handling |

| Service | *Service.java | Business logic |

| Repository | *Repository.java | Data access |

---

References

• CWE-1333: ReDoS

---

Source: Generated by Java CWE Security Skills Generator Last Updated: 2026-03-07