Paste a regular expression to statically analyze it for catastrophic backtracking, the cause of regular expression denial of service. It flags nested quantifiers, quantified alternation with overlapping branches, adjacent quantifiers over overlapping character classes, and quantifiers over a group that can match empty.
A regular expression looks like a tiny declarative pattern, but in many engines it runs as a backtracking search. When a match fails near the end, the engine backs up and retries earlier choices. A few well known shapes make the number of retries grow exponentially with input length, so a short crafted string can pin a CPU core for a long time. That is regular expression denial of service, tracked as CWE-1333. This tool parses your pattern, walks its structure, and points out the shapes that are known to cause catastrophic backtracking, drawing on the guidance in the OWASP ReDoS note and the CWE-1333 entry.
A nested quantifier is a quantified group whose body is itself quantified, such as (a+)+, (a*)*, or (.*)+. The inner and outer repetition can divide the same run of characters in an exponential number of ways, so when the overall match almost succeeds the engine tries an enormous number of splits before giving up. This is the classic catastrophic backtracking pattern, and the analyzer marks it as high severity.
When a quantified group contains alternatives that can match the same text, such as (a|a)* or (a|ab)*, the engine has more than one way to consume each chunk of input. Repeating that ambiguity multiplies the number of paths, which again leads to exponential blowup on crafted input. The fix is to make the branches mutually exclusive so only one of them can ever match a given position.
Two quantifiers in a row over character classes that overlap, such as \d+\d+ or .*.*, let the engine slide the boundary between them across the input. Each placement is a distinct path it may explore, so a long run of matching characters followed by a failure forces it to try every boundary. Collapsing the two quantifiers into one removes the ambiguity entirely.
A quantifier applied to a group that can match the empty string, such as (a*)* or (\s|)+, asks the engine to repeat something that may consume nothing. Engines guard against true infinite loops, but the bookkeeping still explodes on adversarial input. Make the repeated unit consume at least one character so each repetition makes real progress.
Each finding carries a severity, the offending sub pattern from your regex, a plain explanation of why it backtracks, and a concrete fix. A high severity finding means a structure with known exponential worst case, a warning means an ambiguity worth removing, and a clean result means no obvious red flag was found by these checks. Be honest with yourself about that last point: sound ReDoS detection is undecidable in general for full PCRE, so this analyzer targets common ECMAScript regex shapes and can have false negatives. A clean result is a good sign, not a guarantee. Judging real exploitability means reasoning about how the pattern meets attacker controlled input, which is the kind of context an AI security testing approach reasons about rather than pattern matching one string.
RE2, which guarantees match time proportional to input length and cannot backtrack catastrophically.The optional live demonstration on this page runs the regex against a crafted string inside a Web Worker with a short timeout, then terminates the worker. That is exactly the isolation pattern you want in production so that one bad pattern cannot freeze the whole process. For the wider set of input handling weaknesses attackers probe, see the web application security writing and the web security glossary.