Awesome ReDoS Security

This is a list of useful info for real world ReDoS (AKA RegEx DoS, AKA Regular Expression Denial of Service) vulnerabilities. ReDoS is primarily caused by catastrophic backtracking (AKA evil RegEx). ReDoS vulnerabilities are interesting because they are fairly easy to verify, but at the time this repo was created, there is no "go to" tool for identifying ReDoS vulnerabilities in codebases. However, several researchers have found multiple vulnerabilities of this type.

---

Contributions

Contributions are welcome! Updates with new CVEs are particularly helpful.

---

Table of Contents

• Awesome ReDoS Security
  • Contributions
  • Table of Contents
  • ReDoS CVEs
  • ReDoS Tools
  • ReDoS Vulnerable Expressions Lists

---

ReDoS CVEs

This table captures a list of real-world security issues along with the actual commit showing the before (vulnerable) and after (presumably not vulnerable) regular expressions. This information was manually collected using the NVD CVE database with queries such as "regex dos", "regex backtrack", and "regular expression denial of service". Other useful lists include this list from TU Darmstadt, this list from Yeting Li, and this list from Doyensec.

CVE	Vulnerable Project	Main Project Language	Fix Commit	Related Links	Advisories
CVE-2022-21680	marked	JavaScript	c4a3ccd		Advisory
CVE-2022-24713	regex crate	Rust	ae70b41		Advisory
CVE-2021-3733	urllib	Python	PR #24391	Python bug report	Advisory
CVE-2021-21254	ckeditor5	JavaScript	5ba3bf5		Advisory
CVE-2021-21267	schema-inspector	JavaScript	PR #92		Advisory
CVE-2021-21306	marked	JavaScript	PR #1864	Issue #1927	Advisory
CVE-2021-21317	uap-core	JavaScript	dc9925d		Advisory
CVE-2021-21391	ckeditor5	JavaScript	e36175e		Advisory
CVE-2021-22880	Ruby on Rails	Ruby	eddda4d	HackerOne Report	Advisory
CVE-2021-23341	prismjs	JavaScript	PR #2584	Issue #2583	Advisory
CVE-2021-23343	path-parse	JavaScript	Fork PR	Issue #8
CVE-2021-23346	html-parse-stringify	JavaScript	c7274a4		Advisory
CVE-2021-23354	node printf	JavaScript	PR #32		Advisory
CVE-2021-23362	hosted-git-info	JavaScript	29adfe5	PR #76
CVE-2021-23364	browserslist	JavaScript	PR #593 c091916		Advisory
CVE-2021-23368	post-css	JavaScript	8682b1e b6f3e4d		Advisory
CVE-2021-23371	chrono	JavaScript	98815b5	Issue #382	Advisory
CVE-2021-23382	postcss	JavaScript	2b1d04c
CVE-2021-23388	forms	JavaScript	PR #214		Advisory
CVE-2021-23425	trim-off-newlines	JavaScript	PR #3
CVE-2021-23437	Python Pillow	Python	9e08eb8
CVE-2021-23446	handsontable	JavaScript	PR #8742	Issue #8752	Advisory
CVE-2021-23490	parse-link-header	JavaScript	72f05c7
CVE-2021-25292	Python Pillow	Python	3bce145 cbdce6c		Advisory
CVE-2021-27290	ssri	JavaScript	76e2233	Email exchange	Advisory
CVE-2021-27291	pygments	Python	2e7e8c4		Advisory
CVE-2021-27292	ua-parser-js	JavaScript	809439e	Gist	Advisory
CVE-2021-28092	is-svg	JavaScript	01f8a08		Advisory
CVE-2021-29469	node-redis	JavaScript	PR #1595		Advisory
CVE-2021-32640	ws	JavaScript	00c425e		Advisory
CVE-2021-32740	addressable	Ruby	b48ff03		Advisory
CVE-2021-33587	css-what	JavaScript	4cdaacf		Advisory
CVE-2021-33502	normalize-url	JavaScript	b1fdb51		Advisory
CVE-2021-33503	urllib3	Python	2d4a3fe		Advisory
CVE-2021-41817	date gem	Ruby	3959acc	Ruby blogpost
CVE-2021-42836	gjson	Golang	77a57fd	Issue #236 Issue #237
CVE-2021-43854	ntlk	Python	1405aad	PR #2869	Advisory
CVE-2021-44686	Calibre	Python	235b7e3	Bug report
SNYK-PYTHON-MARKDOWN2-1321158	markdown2	Python	d6a56f4	PR #402	Advisory
SNYK-JS-STRINGKIT-1567201	string-kit	JavaScript	9cac4c2	Issue #3
CVE-2020-1920	react-native	JavaScript	ca09ae8		Advisory
CVE-2020-5236	waitress	Python	6e46f9e		Advisory
CVE-2020-5243	uap-core	JavaScript	0afd61e		Advisory
CVE-2020-6817	bleach	Python	d6018f2	Mozilla issue	Advisory
CVE-2020-7661	url-regex	JavaScript	Fork PR
CVE-2020-7662	faye websocket-extensions	JavaScript	29496f6		Advisory
CVE-2020-7733	ua-parser-js	JavaScript	233d3ba
CVE-2020-7754	npm-user-validate	JavaScript	PR #15		Advisory
CVE-2020-7755	dat.gui	JavaScript	PR #279	Issue #278
CVE-2020-7760	codemirror	JavaScript	55d0333
CVE-2020-7761	kafe	JavaScript	c644c79
CVE-2020-7793	ua-parser-js	JavaScript	6d1f26d
CVE-2020-8492	urllib	Python	PR #18284
CVE-2020-13333	GitLab	Ruby	2e39d006 ad6de575
CVE-2020-26256	fast-csv	JavaScript	4bbd39f	Semmle query	Advisory
CVE-2020-28493	Jinja2	Python	PR #1343
CVE-2020-28496	three	JavaScript	PR #21143	Issue #21132
CVE-2020-28469	glob-parent	JavaScript	PR #36	Issue #32
CVE-2020-28500	lodash	JavaScript	PR #5065
CVE-2020-28501	es6-crawler-detect	JavaScript	PR #27
CVE-2020-29651	py	Python	PR #257	Issue #256
CVE-2020-36066	gjson	Golang	9f58baa c2f5341	Issue #195
CVE-2018-20164	uap-core	JavaScript	947f80b	Issue #332
CVE-2017-15010	tough-cookie	JavaScript	PR #97	PoC
CVE-2017-16098	charset	JavaScript	PR #11	PoC
CVE-2017-16100	dns-sync	JavaScript	Fork PR	PoC
CVE-2017-16113	parsejson	JavaScript	Issue #4	PoC	Advisory
CVE-2017-16114	marked	JavaScript	PR #945	PoC
CVE-2017-16115	timespan	JavaScript	Fork PR	PoC
CVE-2017-16116	string	JavaScript	PR #217	PoC
CVE-2017-16117	slug	JavaScript	PR #91	PoC
CVE-2017-16137	debug	JavaScript	PR #504	PoC	Advisory
CVE-2017-16138	mime	JavaScript	Issue #167	PoC	Advisory
CVE-2017-18214	moment	JavaScript	PR #4326	PoC
CVE-2016-4055	moment	JavaScript	PR #2939	Issue #2936
CVE-2016-10527	riot compiler	JavaScript	c033d2c 783521c	Related Issue
CVE-2016-10540	minimatch	JavaScript	6944abf
CVE-2014-3538	file	C	4a284c8 71a8b6c
npm:underscore.string:20170908	underscore.string	JavaScript	PR #517	PoC
npm:mobile-detect:20170907	mobile-detect	JavaScript	7222f6e	PoC
SNYK-JS-ISMOBILEJS-72624	ismobilejs	JavaScript	PR #77	Issue #66 PoC

---

ReDoS Tools

To Do: Compare these tools against the real world CVEs listed above to find the strengths and weaknesses of each tool. Or is there a "best" tool?

• https://github.com/doyensec/regexploit (last commit in 2021)
• https://www.regexbuddy.com/debug.html (last updated in 2021)
• https://github.com/jkutner/saferegex (last commit in 2020)
• https://github.com/n4o847/seccamp-redos (last commit in 2020)
• https://github.com/NicolaasWeideman/RegexStaticAnalysis (last commit in 2020)
• https://github.com/davisjam/vuln-regex-detector (last commit in 2019)
• https://github.com/gagyibenedek/ReDoS-checker (last commit in 2018)
• https://github.com/jagracey/RegEx-DoS (last commit in 2016)
• https://github.com/olivo/redos-detector (last commit in 2016)
• https://web.archive.org/web/20200825222652/https://www.cs.bham.ac.uk/~hxt/research/rxxr.shtml (last updated in 2013)

---

ReDoS Vulnerable Expressions Lists

• https://owasp.org/www-community/OWASP_Validation_Regex_Repository
• https://github.com/EnDe/ReDoS/blob/master/ReDoS.txt