SoK: A Literature and Engineering Review of Regular Expression Denial of Service (ReDoS)

TL;DR

This paper systematically reviews the state of ReDoS vulnerabilities, examining detection, prevention, mitigation strategies, and the implementation of defenses in regex engines, while identifying gaps in real-world impact assessment and future research directions.

Contribution

It provides a comprehensive literature and engineering review of ReDoS, highlighting current defenses, gaps in real-world evaluation, and proposing future research avenues.

Findings

Most studies lack real-world impact assessment.

Many regex engines have implemented partial or full defenses.

Future work should evaluate emerging defenses and improve engineering support.

Abstract

Regular Expression Denial of Service (ReDoS) is a vulnerability class that has become prominent in recent years. Attackers can weaponize such weaknesses as part of asymmetric cyberattacks that exploit the slow worst-case matching time of regular expression (regex) engines. In the past, problematic regexes have led to outages at Cloudflare and Stack Overflow, showing the severity of the problem. While ReDoS has drawn significant research attention, there has been no systematization of knowledge to delineate the state of the art and identify opportunities for further research. In this paper, we describe the existing knowledge on ReDoS. We first provide a systematic literature review, discussing approaches for detecting, preventing, and mitigating ReDoS vulnerabilities. Then, our engineering review surveys the latest regex engines to examine whether and how ReDoS defenses have been realized. Combining our findings, we observe that (1) in the literature, almost no studies evaluate whether and how ReDoS vulnerabilities can be weaponized against real systems, making it difficult to assess their real-world impact; and (2) from an engineering view, many mainstream regex engines have introduced partial or full ReDoS defenses, rendering many threat models obsolete. We conclude by highlighting avenues for future work. The open challenges in ReDoS research are to evaluate emerging defenses and support engineers in migrating to defended engines. We also highlight the parallel between performance bugs and asymmetric DoS, and we argue that future work should capitalize more on this similarity and adopt a more systematic view on ReDoS-like vulnerabilities.