Impact
There is a vulnerability in implementations of regular expression evaluators and related methods that can cause the thread to hang when evaluating regular expressions that contain a grouping expression that is itself repeated. Additionally, any regular expression that contains alternate subexpressions that overlap one another can also be exploited. This defect can be used to execute a Denial of Service (DoS) attack.
Example:
(e+)+
([a-zA-Z]+)*
(e|ee)+
There are no known regular expression implementations that are immune to this vulnerability. All platforms and languages are vulnerable to this attack.
https://vulncat.fortify.com/en/detail?id=desc.dataflow.dotnet.denial_of_service_regular_expression#JavaScript%2fTypeScript
References
https://dp3.atlassian.net/browse/MB-5388
For more information
Impact
There is a vulnerability in implementations of regular expression evaluators and related methods that can cause the thread to hang when evaluating regular expressions that contain a grouping expression that is itself repeated. Additionally, any regular expression that contains alternate subexpressions that overlap one another can also be exploited. This defect can be used to execute a Denial of Service (DoS) attack.
Example:
(e+)+
([a-zA-Z]+)*
(e|ee)+
There are no known regular expression implementations that are immune to this vulnerability. All platforms and languages are vulnerable to this attack.
https://vulncat.fortify.com/en/detail?id=desc.dataflow.dotnet.denial_of_service_regular_expression#JavaScript%2fTypeScript
References
https://dp3.atlassian.net/browse/MB-5388
For more information