This content originally appeared on DEV Community and was authored by Jake Roggenbuck
Description
A server-side TypeScript and JavaScript library immune to Regular Expression Denial of Service (ReDoS) attacks by using Rust and linear Regex under the hood. Regolith has a linear worst case time complexity, compared to the default RegExp found in TypeScript and JavaScript, which has an exponential worst case.
Install Regolith with NPM
npm i @regolithjs/regolith
Try it out
import { Regolith } from '@regolithjs/regolith';
const pattern = new Regolith("^\\d+$");
pattern.test("12345"); // true
pattern.test("Hello"); // false
What are ReDoS attacks?
Regular Expression Denial of Service (ReDoS) attacks occur when vulnerable Regex patterns are executed with specifically constructed inputs that result in an inefficient execution. This can be exploited to cause services to become unavailable because the services are stuck trying to compute the inefficient Regex.
Linear vs Exponential Regex Libraries
This table shows popular languages and if their Regex library has a linear worst case or an exponential worst case. It also includes experimental results for how long execution took for a vulnerable Regex pattern that can be attacked with ReDoS and an input of size 30.
Drop-in Replacement
Regolith attempts to be a drop-in replacement for RegExp and requires minimal (to no) changes to be used instead. The goal of Regolith is to allow developers to easily build software that is immune to ReDoS attacks.
Impact
These vulnerabilities happen relatively often in popular libraries. It's no one's fault specifically, it just comes down to the fact that the language allows for these things to happen.
A recent example of a ReDoS vulnerability is CVE-2025-5889 from brace-expansion. Again, this isn't any fault of that project, it's simply an issue with the language allowing this to happen. Measures can be put into place to reduce the risk of this, but it's hard to spot and test for these issues.
The brace-expansion project is used by 42.5 million other projects on GitHub. Meaning if everyone were to patch their software (which the hopefully will), that would be 42.5 million pull requests, roughly 42.5 million build minutes, and probably more than 42 million engineering minutes as well. All of that for a single vulnerability, and that's just a lower bound of effort spent on this if everyone were to keep their software patched.
Other versions of brace-expansion had these patches backported to them, needing updates for versions 1, 2, 3, and the current version 4.
Having a library or project that is immune to these vulnerabilities would save this effort for each project that adopted it, and would save the whole package ecosystem that effort if widely adopted. Adoption of libraries is difficult, especially when they aren't very flashy, but helping library maintainers and engineers not worry about ReDoS for one library, one project at a time, is our goal.
Trade-off
The Rust Regex library purposefully excludes features that make Regex engines particularly vulnerable to ReDoS attacks. Those features are backreferences and look-around. Excluding those features allow Regex to guarantee linear time execution.
Since Regolith uses Rust bindings to implement the Rust Regex library to achieve linear time worst case, this means that backreferences and look-around aren't available in Regolith either.
This trade-off has proven to be worth it for the Rust community of libraries and projects.
Results
Since ReDoS vulnerabilities are hard to spot, there are rather frequent CVEs that get submitted. Having a Regex library that has a linear worst case time would completely prevent all of these potential issues for downstream projects.
Closing
View more info on GitHub
This content originally appeared on DEV Community and was authored by Jake Roggenbuck
Jake Roggenbuck | Sciencx (2025-07-03T01:15:29+00:00) Preventing ReDoS Attacks with Regolith. Retrieved from https://www.scien.cx/2025/07/03/preventing-redos-attacks-with-regolith/
Please log in to upload a file.
There are no updates yet.
Click the Upload button above to add an update.