CWE-1333: Inefficient Regular Expression Complexity

BaseDraftExploit Likelihood: High

The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.

View on MITRE
Back to CWE Lookup

Extended Description

Some regular expression engines have a feature called "backtracking". If the token cannot match, the engine "backtracks" to a position that may result in a different token that can match. Backtracking becomes a weakness if all of these conditions are met: The number of possible backtracking attempts are exponential relative to the length of the input. The input can fail to match the regular expression. The input can be long enough. Attackers can create crafted inputs that intentionally cause the regular expression to use excessive backtracking in a way that causes the CPU consumption to spike.

Technical Details

Structure
Simple

Applicable To

Languages
Not Language-Specific
Platforms

Frequently Asked Questions

What is CWE-1333: Inefficient Regular Expression Complexity?+

CWE-1333: Inefficient Regular Expression Complexity is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles. Some regular expression engines have a feature called "backtracking". If the token cannot match, the engine "backtracks" to a position that may result in a different token that can match. Backtracking becomes a weakness if all of these conditions are met: The number of possible backtracking attempts are exponential relative to the length of the input. The input can fail to match the regular expression. The input can be long enough. Attackers can create crafted inputs that intentionally cause the regular expression to use excessive backtracking in a way that causes the CPU consumption to spike.

What are the security consequences of Inefficient Regular Expression Complexity?+

If exploited, CWE-1333 (Inefficient Regular Expression Complexity) it can compromise Availability, leading to outcomes such as DoS: Resource Consumption (CPU).

How do you prevent or mitigate Inefficient Regular Expression Complexity?+

Recommended mitigations for CWE-1333 include: Use regular expressions that do not support backtracking, e.g. by removing nested quantifiers. Set backtracking limits in the configuration of the regular expression implementation, such as PHP's pcre.backtrack_limit. Also consider limits on execution time for the process. Do not use regular expressions with untrusted input. If regular expressions must be used, avoid using backtracking in the expression.

Which programming languages are affected by Inefficient Regular Expression Complexity?+

CWE-1333 commonly affects Not Language-Specific. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.

What are real-world examples of Inefficient Regular Expression Complexity?+

MITRE documents real CVEs mapped to CWE-1333, including CVE-2020-5243, CVE-2021-21317, CVE-2019-16215, CVE-2019-6785 and CVE-2019-12041. You can look up the full details of each CVE, including CVSS scores and remediation guidance, on our CVE Lookup tool.

What is the difference between a CWE and a CVE?+

A CWE (Common Weakness Enumeration) like CWE-1333 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.

Learn More