Run static analysis (SAST) on the codebase looking for the unsafe pattern in the data flow.
CWE-1333 Base Draft
Inefficient Regular Expression Complexity
This vulnerability occurs when an application uses a poorly constructed regular expression that can trigger catastrophic backtracking, leading to extreme CPU consumption and potential…
Definition
What is CWE-1333?
This vulnerability occurs when an application uses a poorly constructed regular expression that can trigger catastrophic backtracking, leading to extreme CPU consumption and potential denial-of-service.
The root cause lies in how many regex engines handle failed matches through a process called backtracking. When a pattern doesn't match, the engine tries different paths by rewinding to earlier decision points. A poorly designed regex—often involving nested quantifiers (like (a+)+) or ambiguous patterns—can create an exponential number of these backtracking paths relative to the input length.
Attackers exploit this by providing carefully crafted, non-matching input that forces the engine to evaluate all possible backtracking paths. This causes CPU usage to spike dramatically, potentially freezing the application or server. The risk is highest when processing user-controlled strings without complexity limits, making regex-based input validation a common attack vector for denial-of-service.
Real-world impact
Real-world CVEs caused by CWE-1333
-
server allows ReDOS with crafted User-Agent strings, due to overlapping capture groups that cause excessive backtracking.
-
npm package for user-agent parser prone to ReDoS due to overlapping capture groups
-
Markdown parser uses inefficient regex when processing a message, allowing users to cause CPU consumption and delay preventing processing of other messages.
-
Long string in a version control product allows DoS due to an inefficient regex.
-
Javascript code allows ReDoS via a long string due to excessive backtracking.
-
ReDoS when parsing time.
-
ReDoS when parsing documents.
-
ReDoS when validating URL.
How attackers exploit it
Step-by-step attacker path
- 1
This example attempts to check if an input string is a "sentence" [REF-1164].
- 2
The regular expression has a vulnerable backtracking clause inside (\w+\s?)*$ which can be triggered to cause a Denial of Service by processing particular phrases. To fix the backtracking problem, backtracking is removed with the ?= portion of the expression which changes it to a lookahead and the \2 which prevents the backtracking. The modified example is:
- 3
Note that [REF-1164] has a more thorough (and lengthy) explanation of everything going on within the RegEx.
- 4
This example attempts to check if an input string is a "sentence" and is modified for Perl [REF-1164].
- 5
The regular expression has a vulnerable backtracking clause inside (\w+\s?)*$ which can be triggered to cause a Denial of Service by processing particular phrases. To fix the backtracking problem, backtracking is removed with the ?= portion of the expression which changes it to a lookahead and the \2 which prevents the backtracking. The modified example is:
Vulnerable code example
Vulnerable JavaScript
This example attempts to check if an input string is a "sentence" [REF-1164].
var test_string = "Bad characters: $@#";
var bad_pattern = /^(\w+\s?)*$/i;
var result = test_string.search(bad_pattern); Secure code example
Secure JavaScript
The regular expression has a vulnerable backtracking clause inside (\w+\s?)*$ which can be triggered to cause a Denial of Service by processing particular phrases. To fix the backtracking problem, backtracking is removed with the ?= portion of the expression which changes it to a lookahead and the \2 which prevents the backtracking. The modified example is:
var test_string = "Bad characters: $@#";
var good_pattern = /^((?=(\w+))\2\s?)*$/i;
var result = test_string.search(good_pattern); What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.
Prevention checklist
How to prevent CWE-1333
- Architecture and Design Use regular expressions that do not support backtracking, e.g. by removing nested quantifiers.
- System Configuration Set backtracking limits in the configuration of the regular expression implementation, such as PHP's pcre.backtrack_limit. Also consider limits on execution time for the process.
- Implementation Do not use regular expressions with untrusted input. If regular expressions must be used, avoid using backtracking in the expression.
- Implementation Limit the length of the input that the regular expression will process.
Detection signals
How to detect CWE-1333
Run dynamic application security testing against the live endpoint.
Watch runtime logs for unusual exception traces, malformed input, or authorization bypass attempts.
Code review: flag any new code that handles input from this surface without using the validated framework helpers.
Plexicus auto-detects CWE-1333 and opens a fix PR in under 60 seconds.
Codex Remedium scans every commit, identifies this exact weakness, and ships a reviewer-ready pull request with the patch. No tickets. No hand-offs.
Frequently asked questions What is CWE-1333?
How serious is CWE-1333?
What languages or platforms are affected by CWE-1333?
How can I prevent CWE-1333?
How does Plexicus detect and fix CWE-1333?
Where can I learn more about CWE-1333?
Frequently asked questions
What is CWE-1333?
This vulnerability occurs when an application uses a poorly constructed regular expression that can trigger catastrophic backtracking, leading to extreme CPU consumption and potential denial-of-service.
How serious is CWE-1333?
MITRE rates the likelihood of exploit as High — this weakness is actively exploited in the wild and should be prioritized for remediation.
What languages or platforms are affected by CWE-1333?
MITRE has not specified affected platforms for this CWE — it can apply across most application stacks.
How can I prevent CWE-1333?
Use regular expressions that do not support backtracking, e.g. by removing nested quantifiers. Set backtracking limits in the configuration of the regular expression implementation, such as PHP's pcre.backtrack_limit. Also consider limits on execution time for the process.
How does Plexicus detect and fix CWE-1333?
Plexicus's SAST engine matches the data-flow signature for CWE-1333 on every commit. When a match is found, our Codex Remedium agent opens a fix PR with the corrected code, tests, and a one-line summary for the reviewer.
Where can I learn more about CWE-1333?
MITRE publishes the canonical definition at https://cwe.mitre.org/data/definitions/1333.html. You can also reference OWASP and NIST documentation for adjacent guidance.
Related weaknesses
Weaknesses related to CWE-1333
Resources
Further reading
- MITRE — official CWE-1333 https://cwe.mitre.org/data/definitions/1333.html
- Regular Expression Denial of Service https://web.archive.org/web/20031120114522/http://www.cs.rice.edu/~scrosby/hash/slides/USENIX-RegexpWIP.2.ppt
- Runaway Regular Expressions: Catastrophic Backtracking https://www.regular-expressions.info/catastrophic.html
- Regular expression Denial of Service - ReDoS https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS
- Catastrophic backtracking https://javascript.info/regexp-catastrophic-backtracking
- Freezing the Web: A Study of ReDoS Vulnerabilities in JavaScript-based Web Servers https://www.usenix.org/system/files/conference/usenixsecurity18/sec18-staicu.pdf
- The Impact of Regular Expression Denial of Service (ReDoS) in Practice: An Empirical Study at the Ecosystem Scale https://fservant.github.io/papers/Davis_Coghlan_Servant_Lee_ESECFSE18.pdf
Ready when you are
Don't Let Security
Weigh You Down.
Stop choosing between AI velocity and security debt. Plexicus is the only platform that runs Vibe Coding Security and ASPM in parallel — one workflow, every codebase.