Inefficient Regular Expression Complexity in erxes/erxes


Reported on

Jul 24th 2021

✍️ Description

If we want to use Regex in our match or search or replace or … functions, we must be sanitize this function's inputs. if an attacker capable to inject any Regex or abuse the exponential Regexes that used in our codes, then the ReDoS vulnerability appear and according to "freezing the web a study of ReDoS vulnerabilities in JavaScript-based web servers" Paper if the web server be JavaScript-based and also be Node.js, this probability exists that one user can do DoS attack that affect on response time of all users from server as Node.js has a single-thread functionality.

I found this regex for matching with correct email that used when new users want to registering to site:


Obviously you should not use multiple * or + after each other especially on of them in a group and the group also can be repeated like this part \w+)*.

first, I apologize to test a DoS vulnerability in your main website at

second after two or three time that sending following payload to server, the server going down for 30 second approximately [1].


again, I apologize to you.

💥 Impact

This vulnerability is capable of make high damage on server.


2 years ago


@admin hi dear huntr team

this is a critical vulnerability as you see in picture the server with only a small payload going down for 30 second. plz immediately find out a way to connect to maintainers

2 years ago


We haven't got a response from them yet - but you can see the issue here and follow up with them in another way if you have one.

We have contacted a member of the erxes team and are waiting to hear back 2 years ago
erxes/erxes maintainer validated this vulnerability 2 years ago
amammad has been awarded the disclosure bounty
The fix bounty is now up for grabs
erxes/erxes maintainer marked this as fixed with commit 91a90c 2 years ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
to join this conversation