Loading Shrinkify...
Loading Shrinkify...
Analyze regular expressions for catastrophic backtracking vulnerabilities (ReDoS). Protect your app from regex denial-of-service.
Enter a pattern to see token explanations.
Hotspots
No hotspot pattern detected.
Reasons
Safer Rewrites
• Pattern shape looks safe. Keep anchors and explicit classes where possible.
ReDoS (Regular Expression Denial of Service) occurs when a regex pattern backtracks exponentially on partially-matching input — causing server hang or process stall. The ReDoS Checker detects vulnerable patterns before they reach production code.
A single malicious input string can lock a Node.js thread or DDoS a poorly protected API endpoint using a vulnerable regex. Input validation and authentication code are especially exposed.
(a+)+ or (a*)* — catastrophic on long non-matching strings.(a|aa)+ — engine explores exponential path combinations.A crafted input that causes a vulnerable regex to backtrack exponentially, consuming 100% CPU and stalling the process.
Input validation regex on server-side routes and authentication endpoints — any pattern that processes user-controlled input.
Eliminate nested quantifiers and ambiguous alternation. Use atomic groups or possessive quantifiers where your engine supports them.
Check out our technical guides to learn more about how browser-side processing works.
Read Glossary