CWE•Base•Draft•20 recent CVEs
CWE-1333Inefficient Regular Expression Complexity
Description
The product uses a regular expression with a worst-case computational complexity that is inefficient and possibly exponential.
Common consequences
- Availability→DoS: Resource Consumption (CPU)Attackers can create crafted inputs that intentionally cause the regular expression to use excessive backtracking in a way that causes the CPU consumption to spike.
Potential mitigations
- Architecture and DesignUse regular expressions that do not support backtracking, e.g. by removing nested quantifiers.
- System ConfigurationSet backtracking limits in the configuration of the regular expression implementation, such as PHP's pcre.backtrack_limit. Also consider limits on execution time for the process.
- ImplementationDo not use regular expressions with untrusted input. If regular expressions must be used, avoid using backtracking in the expression.
- ImplementationLimit the length of the input that the regular expression will process.
Related CWEs
Recent CVEs classified under this CWE
CVE-2026-527789.82026-06-08CVE-2026-114783.32026-06-08CVE-2026-454092026-06-05CVE-2026-88887.52026-06-03CVE-2026-106924.32026-06-03CVE-2026-106914.32026-06-03CVE-2026-102914.32026-06-01CVE-2026-447966.52026-05-28CVE-2026-94967.52026-05-26CVE-2026-444255.42026-05-13CVE-2026-81597.52026-05-12CVE-2026-330792026-05-06CVE-2026-410407.52026-04-23CVE-2026-393207.52026-04-21CVE-2026-403195.52026-04-17CVE-2026-59865.32026-04-09CVE-2026-350414.22026-04-09CVE-2026-356117.52026-04-07CVE-2026-354589.82026-04-07CVE-2026-352132026-04-06