Expected Findings
- Regex `^(a+)+$` is applied to user input with no length cap.
- Backtracking is exponential in input length.
- Same regex is reused on a public signup endpoint.
Input Validator
Regex DoS
The email validator uses a regex with catastrophic backtracking, so a crafted input pegs a CPU and ties up the request worker.
CWE-1333
Validator probe
Primary Flows
- Validator Long input pegs CPU
- Validator config Shows vulnerable pattern
Signals
Pattern
^(a+)+$
Notes
- This emulator does not actually backtrack; it returns simulated timing data.