[Pkg-javascript-devel] ReDOS and RegExp in javascript: be careful when matching end of string
Jérémy Lal
kapouer at melix.org
Thu Jul 24 09:42:59 BST 2025
Hello,
RegExp needs to be anchored to something.
This seemingly innocuous RegExp is vulnerable to ReDOS:
/a+$/
To fix it, it needs to be anchored to something:
/([^a]|^)a+$/
If one knows that the string is has something else before, it simplifies to:
/[^a]a+$/
console.time("redos");
('a'.repeat(50000) + '\x00a').match(/a+$/);
console.timeEnd("redos")
redos: 2.506s
console.time("no redos");
('a'.repeat(50000) + '\x00a').match(/[^a]a+$/);
console.timeEnd("no redos")
no redos: 0.639ms
See you !
Jérémy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-javascript-devel/attachments/20250724/b44ada0e/attachment.htm>
More information about the Pkg-javascript-devel
mailing list