BaseDraft

CWE-1333Inefficient Regular Expression Complexity

Category: other

Description

The product uses a regular expression with a worst-case computational complexity that is inefficient and possibly exponential.

Common consequences· 1

  • Availability — DoS: Resource Consumption (CPU)
    Attackers can create crafted inputs that intentionally cause the regular expression to use excessive backtracking in a way that causes the CPU consumption to spike.

Potential mitigations· 4

  • [Architecture and Design]Use regular expressions that do not support backtracking, e.g. by removing nested quantifiers.
  • [System Configuration]Set backtracking limits in the configuration of the regular expression implementation, such as PHP's pcre.backtrack_limit. Also consider limits on execution time for the process.
  • [Implementation]Do not use regular expressions with untrusted input. If regular expressions must be used, avoid using backtracking in the expression.
  • [Implementation]Limit the length of the input that the regular expression will process.

Related CAPEC attack patterns· 1

CAPEC-492

References

  1. https://cwe.mitre.org/data/definitions/1333.html

Exploits (incoming)1

TypeTargetConfidenceTier
AttackPatternRegular Expression Exponential Blowupcapec-492100%live

(incoming)3

TypeTargetConfidenceTier
VulnerabilityCVE-2025-62484cve-2025-624840%live
VulnerabilityCVE-2026-22178cve-2026-221780%live
VulnerabilityCVE-2026-35458cve-2026-354580%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CWE
Inefficient Algorithmic Complexity
CWE
Permissive Regular Expression
CWE
Improper Validation of Syntactic Correctness of Input
CWE
Inefficient CPU Computation
CWE
Excessively Complex Data Representation
CWE
Incorrect Comparison Logic Granularity
Sourced from MITRE CWE 4.20. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.