DerScanner
Home / Vulnerability Database / Java : DOS attack via regular expressions possible
Java

Java : DOS attack via regular expressions possible

Classification

CWE
CWE-400

Overview

The regexp used is unreliable, which can be computationally intensive for some inputs. Regular expression denial of service (ReDOS) attack is possible.

Regular expressions are widely used in applications to validate the user-supplied data. Expressions containing structures like (( )+)+ cause execution of a significant amount of iterations. By inputting a certain type of string an attacker can disrupt the application operation. All implementations of regular expressions have such vulnerabilities.

References

  1. OWASP: Regular expression Denial of Service
  2. Runaway Regular Expressions: Catastrophic Backtracking – regular-expressions.info
  3. saferegex – Tool for testing regular expressions for ReDoS vulnerabilities
  4. CWE-400: Uncontrolled Resource Consumption
  5. Catastrophic Backtracking
MEDIUM

DerScanner Severity Score

Do you want to fix Java : DOS attack via regular expressions possible in your application?

See also

Java

Java : Race condition

Java

Java : Text4Shell Vulnerability

Java

Java : JNI usage