Performance and ReDoS
Understand catastrophic backtracking and write safe, efficient patterns.· 8 min
Concept
Some regex patterns can take exponential time on certain inputs, causing the engine to "catastrophically backtrack". This vulnerability is called ReDoS (Regular Expression Denial of Service).
**Danger patterns:**
- Nested quantifiers: (a+)+ — exponential backtracking!
- Overlapping alternatives inside a quantified group: (a|aa)+ — dangerous!
How it happens: the engine tries every possible way to match, and with ambiguous patterns and a long non-matching string, the number of attempts grows exponentially.
**Safe alternatives:**
- Replace (a+)+b with a+b — same behavior, linear time
- Be specific: use atomic patterns where possible
- Avoid repeating groups where alternatives overlap
The Regexflux tester automatically warns you about high-risk patterns with an amber/red banner.
/a+b/gSAFE: One or more 'a' followed by 'b' — linear time, no backtracking
/\d+(,\d+)*/gSAFE: Comma-separated numbers — the pattern is unambiguous
Exercise
Write an efficient pattern matching a comma-separated list of numbers like "1,2,3" or "42,100,7". Use an unambiguous structure that won't catastrophically backtrack.
Your pattern: