All tools

Regex ReDoS Detector

Code

Scan a regex for catastrophic-backtracking (ReDoS) risk: nested quantifiers, overlapping alternation, and adjacent overlapping quantifiers

Paste a regular expression and this tool statically scans it for the constructs that cause catastrophic backtracking, the class of bug behind most ReDoS denial-of-service incidents. It flags nested unbounded quantifiers like (a+)+, alternation branches that can match the same input under a repetition like (a|ab)*, and adjacent overlapping quantifiers like \d+\d+ that lead to quadratic runtime. It is a heuristic linter rather than a formal proof, so it deliberately does not flag safe repetition such as (ab)+ or disjoint alternation like (a|b)+, and it can miss more exotic constructs. Treat a clean result as a good sign, not a guarantee, and always benchmark a suspect pattern against realistic worst-case input.

regexredossecurityperformancebacktrackingdetect

How to use Regex ReDoS Detector

  • 1.Paste the body of a regex (no delimiters or flags) and read the risk level: high means an exponential construct was found, medium means a quadratic one.
  • 2.Check each finding's snippet and message to see exactly which part of the pattern is dangerous and why.
  • 3.Rewrite a flagged pattern by removing the nested repetition, making alternation branches mutually exclusive, or anchoring the repeat, then re-scan to confirm the risk is gone.

Frequently asked questions

Does a clean result mean my regex is definitely safe?
No. This is a heuristic linter focused on the classic exponential and quadratic patterns; it can miss more unusual constructs. A clean result is reassuring but not a formal guarantee, so still benchmark critical patterns against worst-case input.
Why isn't (a+b)+ flagged even though it has nested quantifiers?
The mandatory 'b' between repetitions removes the ambiguity that catastrophic backtracking depends on, so it is generally safe. The tool only flags a repeated group whose body is a single unbounded-repeated element, which is the genuinely exponential case.
What regex flavor does it assume?
It analyzes the pattern structurally, so it applies to any backtracking engine (JavaScript, Python, Java, PCRE). The compile-validity check uses the host language's engine, which is why an invalid pattern is still analyzed structurally with a note.
Is my pattern sent to a server?
No, the browser tool runs entirely client-side. The REST API and SDKs run the same analysis locally with no external calls.

Use via API, SDK, or MCP

cURL# Free: 1,000 req/day · Pro: 10,000 req/day
curl -X POST https://api.utilix.tech/v1/tools/redos-detector \
  -H "Authorization: Bearer utx_live_..." \
  -H "Content-Type: application/json" \
  -d '{"pattern":"(a+)+"}'

Get an API key from your dashboard · Full API docs →