CWE-1333: Inefficient Regular Expression Complexity
Also known as: ReDoS, Regular Expression Denial of Service, Catastrophic backtracking
The product uses a regular expression with a worst-case computational complexity that is inefficient and possibly exponential.
Last updated
Overview
CWE-1333 (Inefficient Regular Expression Complexity) is a base-level software weakness catalogued by MITRE in the Common Weakness Enumeration (CWE). It describes a recurring type of mistake that can lead to exploitable security vulnerabilities.
Background
Some regular expression engines have a feature called "backtracking". If the token cannot match, the engine "backtracks" to a position that may result in a different token that can match.
Real-world CVEs
319 recorded CVEs are caused by CWE-1333 (Inefficient Regular Expression Complexity). The highest-severity and most recent are shown first. 60 new CWE-1333 CVEs have been recorded so far in 2026 (79 in 2025).