Will It Vibe logoWill It Vibe?
PERF-004Medium severity-8 points

Regex with a catastrophic-backtracking shape (ReDoS)

Part of Code Quality & Syntax, which counts for 20% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.

What it detects

A regex literal or new RegExp(...) string has a nested-quantifier shape such as (a+)+, (.*)+, or (\w+)*. Against a crafted input these can take exponential time and hang the process (CWE-1333). This is a shape heuristic: some matches are safe in practice because the inner and outer parts cannot both match the same characters, so verify before treating this as urgent.

Why it matters

A regex with a nested-quantifier shape like (a+)+, (.*)+, or (\w+)* can make JavaScript's backtracking regex engine take exponential time on certain crafted inputs (a well-known class called ReDoS, CWE-1333). If that regex ever runs against user-supplied or otherwise untrusted input, a single request can pin a CPU core and, in Node, freeze the whole event loop, taking the process down for every other request too. This is a shape-based heuristic: it flags the pattern's structure, not proof that a bad input exists, and some matches are actually safe because the inner and outer parts cannot both match the same characters.

How to fix it

Rewrite the regex to remove the nested repetition, most often by making the inner and outer parts mutually exclusive (for example (a+)+ frequently just means a+) or by using an atomic-group/possessive-quantifier workaround where supported. If you cannot simplify it, test the pattern against a tool like safe-regex or the OWASP ReDoS checker, and consider a length cap on the input before it reaches the regex.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Code Quality & Syntax checks