Denial of Service: Regular Expression

Untrusted data is passed to the application and used as a regular expression. This can cause the thread to overconsume CPU resources.

There is a vulnerability in implementations of regular expression evaluators and related methods that can cause the thread to hang when evaluating regular expressions that contain a grouping expression that is itself repeated. Additionally, any regular expression that contains alternate subexpressions that overlap one another can also be exploited. This defect can be used to execute a Denial of Service (DoS) attack.
Example:

  (e+)+
  ([a-zA-Z]+)*
  (e|ee)+

There are no known regular expression implementations that are immune to this vulnerability. All platforms and languages are vulnerable to this attack.

Untrusted data is passed to the application and used as a regular expression. This can cause the thread to overconsume CPU resources.

There is a vulnerability in implementations of regular expression evaluators and related methods that can cause the thread to hang when evaluating regular expressions that contain a grouping expression that is itself repeated. Additionally, any regular expression that contains alternate subexpressions that overlap one another can also be exploited. This defect can be used to execute a Denial of Service (DoS) attack.
Example:

  (e+)+
  ([a-zA-Z]+)*
  (e|ee)+

There are no known regular expression implementations that are immune to this vulnerability. All platforms and languages are vulnerable to this attack.

Untrusted data is passed to the application and used as a regular expression. This can cause the thread to overconsume CPU resources.

There is a vulnerability in implementations of regular expression evaluators and related methods that can cause the thread to hang when evaluating regular expressions that contain a grouping expression that is repeated. Additionally, attackers can exploit any regular expression that contains alternate subexpressions that overlap one another. This defect can be used to execute a Denial of Service (DoS) attack.
Example:

  (e+)+
  ([a-zA-Z]+)*
  (e|ee)+

There are no known regular expression implementations that are immune to this vulnerability. All platforms and languages are vulnerable to this attack.

Untrusted data is passed to the application and used as a regular expression. This can cause the thread to overconsume CPU resources.

There is a vulnerability in implementations of regular expression evaluators and related methods that can cause the thread to hang when evaluating regular expressions that contain a grouping expression that is itself repeated. Additionally, any regular expression that contains alternate subexpressions that overlap one another can also be exploited. This defect can be used to execute a Denial of Service (DoS) attack.
Example:

  (e+)+
  ([a-zA-Z]+)*
  (e|ee)+

There are no known regular expression implementations that are immune to this vulnerability. All platforms and languages are vulnerable to this attack.

Untrusted data is passed to the application and used as a regular expression. This can cause the thread to overconsume CPU resources.

There is a vulnerability in implementations of regular expression evaluators and related methods that can cause the thread to hang when evaluating regular expressions that contain a grouping expression that is itself repeated. Additionally, any regular expression that contains alternate subexpressions that overlap one another can also be exploited. Attackers can use this defect to execute a Denial of Service (DoS) attack.
Example:

  (e+)+
  ([a-zA-Z]+)*
  (e|ee)+

There are no known regular expression implementations that are immune to this vulnerability. All platforms and languages are vulnerable to this attack.

Untrusted data is passed to the application and used as a regular expression. This can cause the thread to overconsume CPU resources.

There is a vulnerability in implementations of regular expression evaluators and related methods that can cause the thread to hang when evaluating regular expressions that contain a grouping expression that is itself repeated. Additionally, any regular expression that contains alternate subexpressions that overlap one another can also be exploited. This defect can be used to execute a Denial of Service (DoS) attack.
Example 1: If the following regular expressions are used in the identified vulnerable code a denial of service could occur:

  (e+)+
  ([a-zA-Z]+)*
  (e|ee)+

Example of problematic code relying on a flawed regular expressions:

NSString *regex = @"^(e+)+$";
NSPredicate *pred = [NSPRedicate predicateWithFormat:@"SELF MATCHES %@", regex];
if ([pred evaluateWithObject:mystring]) {
  //do something
}

Most regular expression parsers build Nondeterministic Finite Automaton (NFA) structures when evaluating regular expressions. The NFA tries all possible matches until a complete match is found. Given the previous example, if the attacker supplies the match string "eeeeZ" then there are 16 internal evaluations that the regex parser must go through to identify a match. If the attacker provides 16 "e"s ("eeeeeeeeeeeeeeeeZ") as the match string then the regex parser must go through 65536 (2^16) evaluations. The attacker may easily consume computing resources by increasing the number of consecutive match characters. There are no known regular expression implementations that are immune to this vulnerability. All platforms and languages are vulnerable to this attack.

Untrusted data is passed to the application and used as a regular expression. This can cause the thread to overconsume CPU resources.

There is a vulnerability in implementations of regular expression evaluators and related methods that can cause the thread to hang when evaluating regular expressions that contain a grouping expression that is itself repeated. Additionally, any regular expression that contains alternate subexpressions that overlap one another can also be exploited. This defect can be used to execute a Denial of Service (DoS) attack.
Example:

  (e+)+
  ([a-zA-Z]+)*
  (e|ee)+

There are no known regular expression implementations that are immune to this vulnerability. All platforms and languages are vulnerable to this attack.

Untrusted data is passed to the application and used as a regular expression. This can cause the thread to overconsume CPU resources.

There is a vulnerability in implementations of regular expression evaluators and related methods that can cause the thread to hang when evaluating regular expressions that contain a grouping expression that is itself repeated. Additionally, any regular expression that contains alternate subexpressions that overlap one another can also be exploited. This defect can be used to execute a Denial of Service (DoS) attack.
Example:

  (e+)+
  ([a-zA-Z]+)*
  (e|ee)+

There are no known regular expression implementations which are immune to this vulnerability. All platforms and languages are vulnerable to this attack.

Untrusted data is passed to the application and used as a regular expression. This can cause the thread to over-consume CPU resources.

There is a vulnerability in implementations of regular expression evaluators and related methods that can cause the thread to hang when evaluating repeating and alternating overlapping of nested and repeated regex groups. This defect can be used to execute a Denial of Service (DoS) attack.
Example:

(e+)+
([a-zA-Z]+)*

There are no known regular expression implementations that are immune to this vulnerability. All platforms and languages are vulnerable to this attack.

Untrusted data is passed to the application and used as a regular expression. This can cause the thread to overconsume CPU resources.

There is a vulnerability in implementations of regular expression evaluators and related methods that can cause the thread to hang when evaluating regular expressions that contain a grouping expression that is itself repeated. Additionally, any regular expression that contains alternate subexpressions that overlap one another can also be exploited. This defect can be used to execute a Denial of Service (DoS) attack.
Example:

  (e+)+
  ([a-zA-Z]+)*
  (e|ee)+

There are no known regular expression implementations that are immune to this vulnerability. All platforms and languages are vulnerable to this attack.

Untrusted data is passed to the application and used as a regular expression. This can cause the thread to overconsume CPU resources.

There is a vulnerability in implementations of regular expression evaluators and related methods that can cause the thread to hang when evaluating regular expressions that contain a grouping expression that is itself repeated. Additionally, any regular expression that contains alternate subexpressions that overlap one another can also be exploited. This defect can be used to execute a Denial of Service (DoS) attack.

Example 1: If the following regular expressions are used in the identified vulnerable code a denial of service could occur:

(e+)+
([a-zA-Z]+)*
(e|ee)+

Example of problematic code relying on a flawed regular expressions:

let regex : String = "^(e+)+$"
let pred : NSPredicate = NSPRedicate(format:"SELF MATCHES \(regex)")
if (pred.evaluateWithObject(mystring)) {
  //do something
}

Most regular expression parsers build Nondeterministic Finite Automaton (NFA) structures when evaluating regular expressions. The NFA tries all possible matches until a complete match is found. Given Example 1, if the attacker supplies the match string "eeeeZ" then there are 16 internal evaluations that the regex parser must go through to identify a match. If the attacker provides 16 "e"s ("eeeeeeeeeeeeeeeeZ") as the match string then the regex parser must go through 65536 (2^16) evaluations. The attacker may easily consume computing resources by increasing the number of consecutive match characters. There are no known regular expression implementations that are immune to this vulnerability. All platforms and languages are vulnerable to this attack.