no-express-unsafe-regex-route
ESLint rule documentation for no-express-unsafe-regex-route
📡 Live from GitHub — This documentation is fetched directly from no-express-unsafe-regex-route.md and cached for 6 hours.
Disallow vulnerable regular expressions in route definitions
This rule detects Regular Expression Denial of Service (ReDoS) vulnerabilities in Express route patterns
Severity: 🔴 Critical
CWE: CWE-1333
Rule Details
This rule detects Regular Expression Denial of Service (ReDoS) vulnerabilities in Express route patterns. Malicious input can cause exponential backtracking in vulnerable regex patterns, freezing your server.
Examples
❌ Incorrect
// Nested quantifiers - VULNERABLE to ReDoS
app.get(/^\/api\/(.*)*$/, handler);
// Overlapping alternations - VULNERABLE
app.get(/^(a+)+$/, handler);
// Evil regex patterns
app.get(/^([a-zA-Z]+)*$/, handler);✅ Correct
// Simple patterns - SAFE
app.get('/api/:resource', handler);
// Non-vulnerable regex - SAFE
app.get(/^\/api\/[a-z]+$/, handler);
// Use atomic groups or possessive quantifiers
app.get(/^\/api\/\w+$/, handler);Vulnerable Patterns
| Pattern | Risk | Example Attack |
|---|---|---|
(a+)+ | High | aaaaaaaaaaaaaaaaaaaaaaaaaaaa! |
(.*)* | High | Long strings with no match |
([a-zA-Z]+)* | High | aaaaaaaaaaaaaaaaaaaaaaaaaaa! |
(a|aa)+ | Medium | Alternation with overlap |
Options
| Option | Type | Default | Description |
|---|---|---|---|
allowInTests | boolean | false | Allow unsafe regex in test files |
{
"rules": {
"express-security/no-express-unsafe-regex-route": "error"
}
}When Not To Use It
Never disable this rule. ReDoS can completely freeze your server.
Known False Negatives
The following patterns are not detected due to static analysis limitations:
Regex from Variable
Why: Regex stored in variables is not analyzed.
// ❌ NOT DETECTED - Regex from variable
const pattern = /^(.*)*$/;
app.get(pattern, handler);Mitigation: Use inline regex. Apply safe-regex checks at startup.
Dynamic Regex Construction
Why: Regex built at runtime is not evaluated.
// ❌ NOT DETECTED - Dynamic regex
const pattern = new RegExp(userInput + '*');
app.get(pattern, handler); // Could be vulnerable!Mitigation: Never use user input in regex. Use static patterns.
Custom Router Methods
Why: Non-standard router methods are not tracked.
// ❌ NOT DETECTED - Custom router
customRouter.route(/^(a+)+$/, handler);Mitigation: Configure rule for custom router method names.
Nested Router Patterns
Why: Patterns combined through nested routers may create ReDoS.
// ❌ NOT DETECTED - Nested pattern combination
const outer = /^\\/api.*/;
const inner = /.*\\/data$/;
// Combined may be vulnerableMitigation: Review router hierarchy. Test combined patterns.