CWE-1333: Inefficient Regular Expression Complexity
Also known as: ReDoS, Regular Expression Denial of Service, Catastrophic backtracking
The product uses a regular expression with a worst-case computational complexity that is inefficient and possibly exponential.
Last updated
Overview
CWE-1333 (Inefficient Regular Expression Complexity) is a base-level software weakness catalogued by MITRE in the Common Weakness Enumeration (CWE). It describes a recurring type of mistake that can lead to exploitable security vulnerabilities.
Background
Some regular expression engines have a feature called "backtracking". If the token cannot match, the engine "backtracks" to a position that may result in a different token that can match.
Real-world CVEs
319 recorded CVEs are caused by CWE-1333 (Inefficient Regular Expression Complexity). The highest-severity and most recent are shown first. 60 new CWE-1333 CVEs have been recorded so far in 2026 (79 in 2025).
- CVE-2026-52778
YesWiki has Unsafe eval() in Formula Calculator - Remote Code Execution (RCE) & Denial of Service (DoS)
Critical · CVSS 9.8 · EPSS 43th2026-06-08 - CVE-2025-62484
Zoom Workplace Clients - Inefficient Regular Expression Complexity
Critical · CVSS 9.8 · EPSS 21th2025-11-13 - CVE-2023-29486Critical · CVSS 9.8 · EPSS 60th2023-12-21
- CVE-2026-25547
Uncontrolled Resource Consumption in @isaacs/brace-expansion
Critical · CVSS 9.2 · EPSS 38th2026-02-04 - CVE-2025-25200
Koa has Inefficient Regular Expression Complexity
Critical · CVSS 9.2 · EPSS 53th2025-02-12 - CVE-2026-48801
linkify-it: Quadratic algorithmic complexity in LinkifyIt#match scan loop
High · CVSS 8.7 · EPSS 36th2026-07-14 - CVE-2026-45305
Symfony: YAML Parser ReDoS via Catastrophic Backtracking in Parser::cleanup() Regex
High · CVSS 8.7 · EPSS 51th2026-07-14 - CVE-2026-57584
Phalcon: Catastrophic backtracking (ReDoS) in the default Phalcon Router route lead to remote unauthenticated DoS
High · CVSS 8.7 · EPSS 34th2026-07-10 - CVE-2026-55574
vLLM: ReDoS via structured_outputs.regex compiled without timeout in xgrammar and outlines backends
High · CVSS 8.7 · EPSS 25th2026-07-06 - CVE-2026-47138
Parse Server: Pre-authentication denial of service via client version header regex backtracking
High · CVSS 8.7 · EPSS 44th2026-06-12 - CVE-2026-33079
Mistune ReDoS in LINK_TITLE_RE allows denial of service with crafted Markdown titles
High · CVSS 8.7 · EPSS 38th2026-05-06 - CVE-2026-41040High · CVSS 8.7 · EPSS 29th2026-04-23
Showing 12 of 319 recorded CWE-1333 CVEs. Track new ones as they are published and get AI-written analysis and fixes.
Monitor CWE-1333 vulnerabilitiesCommon consequences
What can happen when CWE-1333 is exploited.
DoS: Resource Consumption (CPU)
Affects: Availability
Attackers can create crafted inputs that intentionally cause the regular expression to use excessive backtracking in a way that causes the CPU consumption to spike.
How it happens
When it is introduced
Typically introduced during these phases of the software lifecycle.
How to prevent it
Practical mitigations for CWE-1333, grouped by where in the lifecycle they apply.
Use regular expressions that do not support backtracking, e.g. by removing nested quantifiers.
Effectiveness: High — This is one of the few effective solutions when using user-provided regular expressions.
Set backtracking limits in the configuration of the regular expression implementation, such as PHP's pcre.backtrack_limit. Also consider limits on execution time for the process.
Effectiveness: Moderate
Do not use regular expressions with untrusted input. If regular expressions must be used, avoid using backtracking in the expression.
Effectiveness: High
Limit the length of the input that the regular expression will process.
Effectiveness: Moderate
How to detect it
Automated Static Analysis
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Effectiveness: High
Code examples
Illustrative examples from MITRE showing how the weakness appears in code.
This example attempts to check if an input string is a "sentence" [REF-1164].
This example attempts to check if an input string is a "sentence" and is modified for Perl [REF-1164].
Illustrative examples
Real CVEs that MITRE cites as examples of this weakness.
- CVE-2020-5243 — server allows ReDOS with crafted User-Agent strings, due to overlapping capture groups that cause excessive backtracking.
- CVE-2021-21317 — npm package for user-agent parser prone to ReDoS due to overlapping capture groups
- CVE-2019-16215 — Markdown parser uses inefficient regex when processing a message, allowing users to cause CPU consumption and delay preventing processing of other messages.
- CVE-2019-6785 — Long string in a version control product allows DoS due to an inefficient regex.
- CVE-2019-12041 — Javascript code allows ReDoS via a long string due to excessive backtracking.
- CVE-2015-8315 — ReDoS when parsing time.
- CVE-2015-8854 — ReDoS when parsing documents.
- CVE-2017-16021 — ReDoS when validating URL.
Terminology & mappings
Alternate terms
- ReDoS
- ReDoS is an abbreviation of "Regular expression Denial of Service".
- Regular Expression Denial of Service
- While this term is attack-focused, this is commonly used to describe the weakness.
- Catastrophic backtracking
- This term is used to describe the behavior of the regular expression as a negative technical impact.
Attack patterns
CAPEC attack patterns that exploit this weakness.
Frequently asked questions
Common questions about CWE-1333.
- What is CWE-1333?
- The product uses a regular expression with a worst-case computational complexity that is inefficient and possibly exponential.
- What CVEs are caused by CWE-1333?
- 319 recorded CVEs are attributed to CWE-1333, including CVE-2026-52778, CVE-2025-62484, CVE-2023-29486.
- How do you prevent CWE-1333?
- Use regular expressions that do not support backtracking, e.g. by removing nested quantifiers.
- How is CWE-1333 detected?
- Automated Static Analysis: Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
- What are the consequences of CWE-1333?
- Exploiting CWE-1333 can lead to: DoS: Resource Consumption (CPU).
- Is CWE-1333 actively exploited?
- 319 recorded CVEs are caused by CWE-1333; none are currently in CISA's KEV catalog of actively exploited flaws.
References
- MITRE CWE definition (CWE-1333) (opens in a new tab)
- CWE-1333 vulnerabilities on NVD (opens in a new tab)
- Learn: What is a CWE?
Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.
Stay ahead of CWE-1333
Get alerted the moment a new CWE-1333 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.