{"id":8588,"library":"regexploit","title":"Regexploit","description":"Regexploit is a Python library designed to identify Regular Expression Denial of Service (ReDoS) vulnerabilities in regular expressions. It analyzes a given regex string to determine if it can be exploited by crafted input, potentially leading to excessive backtracking and application slowdowns or crashes. The current version is 1.0.0, and releases appear to be infrequent, focusing on stable major versions.","status":"active","version":"1.0.0","language":"en","source_language":"en","source_url":"https://github.com/doyensec/regexploit","tags":["redos","security","regex","vulnerability","static-analysis"],"install":[{"cmd":"pip install regexploit","lang":"bash","label":"Install stable version"}],"dependencies":[],"imports":[{"symbol":"Regexploit","correct":"from regexploit.regexploit import Regexploit"}],"quickstart":{"code":"from regexploit.regexploit import Regexploit\nimport json\n\n# Define a potentially vulnerable regex pattern\nregex_pattern = r\"^(a+)+$\"\n\n# Initialize the Regexploit engine with the pattern\n# It's recommended to set a timeout to prevent excessively long analysis\nexploit = Regexploit(regex_pattern, timeout=5)\n\n# Check the regex for ReDoS vulnerabilities\nresult = exploit.check()\n\n# Process and display the results\nif result.is_vulnerable():\n    print(f\"The regex '{regex_pattern}' is potentially vulnerable to ReDoS.\")\n    print(\"Vulnerability Details:\")\n    print(json.dumps(result.to_dict(), indent=2))\nelse:\n    print(f\"The regex '{regex_pattern}' appears to be safe from common ReDoS patterns.\")","lang":"python","description":"This quickstart demonstrates how to instantiate the Regexploit class with a regex pattern and check it for ReDoS vulnerabilities. It prints detailed findings if a vulnerability is detected, using the `to_dict()` method for structured output."},"warnings":[{"fix":"Always pass a `timeout` argument (in seconds) to the `Regexploit` constructor, e.g., `Regexploit(regex, timeout=10)`. This prevents the check from running indefinitely.","message":"Analyzing complex or very long regexes can be computationally intensive and time-consuming. By default, Regexploit does not impose a timeout.","severity":"gotcha","affected_versions":">=1.0.0"},{"fix":"Ensure your regex string is syntactically correct and properly escaped (e.g., use raw strings `r\"...\"`) before passing it to `Regexploit`.","message":"Regexploit expects regex strings that are valid according to Python's `re` module syntax. Invalid regex patterns will cause `_sre.error` or other exceptions.","severity":"gotcha","affected_versions":">=1.0.0"},{"fix":"Treat Regexploit's results as strong indicators rather than definitive proofs. For critical applications, manual security review and dynamic testing are still recommended alongside automated tools.","message":"While powerful, Regexploit is a static analysis tool that identifies *potential* ReDoS vulnerabilities. It may not detect all possible exploitation vectors, and false negatives are possible.","severity":"gotcha","affected_versions":">=1.0.0"}],"env_vars":null,"last_verified":"2026-04-16T00:00:00.000Z","next_check":"2026-07-15T00:00:00.000Z","problems":[{"fix":"Run `pip install regexploit` to install the library.","cause":"The 'regexploit' package is not installed in your current Python environment.","error":"ModuleNotFoundError: No module named 'regexploit'"},{"fix":"Review and correct the regex pattern for any syntax errors (e.g., unclosed parentheses, invalid escape sequences). Using raw strings (e.g., `r\"my(regex)\"`) is highly recommended to avoid issues with backslashes.","cause":"The regular expression string provided to `Regexploit` has a syntax error that Python's `re` engine cannot parse.","error":"_sre.error: missing ), unterminated subpattern at position X (or similar regex syntax errors)"},{"fix":"Pass the regex string as the first argument to the constructor, e.g., `Regexploit(r\"your_pattern_here\")`.","cause":"You are attempting to instantiate `Regexploit` without providing the mandatory regex string argument.","error":"TypeError: Regexploit() missing 1 required positional argument: 'regex_string'"}]}