Regular Expression Denied Service
January 2026 · Derick Zr · 1 minutes read
ReDoS (Regular Expression Denial of Service)
The original EMAIL_REGEX had nested quantifiers:
/^[A-Z0-9]+(?:[.-]?[A-Z0-9]+)*@.../The pattern
[A-Z0-9]+(?:[.-]?[A-Z0-9]+)*creates exponential backtracking because:
[A-Z0-9]+ matches 1+ alphanumeric chars
(?:[.-]?[A-Z0-9]+)* can also match the same charsWhen you type "aaaaaaaaaaaaaaaaaaaaaaaaa" (no @), the regex engine tries 2^n combinations before failing - freezing the browser.