Skip to content

[DevTools] Fix ReDoS vulnerability in Firefox stack trace parser #35509

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
yujiteshima wants to merge 1 commit into
base: main
Choose a base branch
from
Open

[DevTools] Fix ReDoS vulnerability in Firefox stack trace parser #35509

yujiteshima wants to merge 1 commit into from
+23 −1

Conversation

@yujiteshima
Copy link

@yujiteshima yujiteshima commented Jan 14, 2026

Summary

This PR fixes a ReDoS (Regular Expression Denial of Service) vulnerability in the Firefox stack trace parser.

Fixes #35490

The original regex pattern (?:.*".+")?[^@]* in firefoxFrameRegExp contained nested quantifiers that could cause catastrophic backtracking when processing malicious inputs. With a crafted input containing 2000 repeated patterns, the regex took over 2.5 seconds to process, causing the DevTools to become unresponsive.

The fix: Changed .*".+" to "[^"]+" using a negated character class. This achieves O(n) linear time complexity while preserving identical matching behavior for all valid Firefox stack frames.

Input Before After
Malicious (2000 repeats) 2500+ ms 0 ms
Valid Firefox stack frames ✅ Works ✅ Works

How did you test this change?

  1. Verified the fix resolves the vulnerability:
const firefoxFrameRegExp = /^((?:"[^"]+")?[^@]*)@(.+):(\d+):(\d+)$/;
const nullChar = String.fromCharCode(0);
const maliciousInput = ' ' + ('"' + nullChar).repeat(2000) + '\r!\r!';

const start = Date.now();
firefoxFrameRegExp.test(maliciousInput);
console.log(Date.now() - start + 'ms'); // 0ms (was 2500+ ms)
  1. Verified existing functionality is preserved:
// All valid Firefox stack traces still parse correctly
'tt@https://react.dev/_next/static/chunks/363.js:1:165558' // ✅
'f@https://react.dev/_next/static/chunks/pages/app.js:1:8535' // ✅
'"quoted"@file:1:1' // ✅
'funcName@file:1:1' // ✅

  1. Added a regression test to prevent future ReDoS vulnerabilities in this regex.

  2. Ran the standard checks:

yarn linc            # ✅ Lint passed
yarn flow dom-node   # ✅ No errors
yarn prettier        # ✅ Formatted

@meta-cla meta-cla bot added the CLA Signed label Jan 14, 2026
@yujiteshima yujiteshima mentioned this pull request Jan 14, 2026
Open
@guiyi-he
Copy link

guiyi-he commented Jan 20, 2026
edited
Loading

Hi, @yujiteshima @gnoff

Whether you need to actively request a review will determine whether the subsequent process will proceed.

Best regards
Guiyi He

aarushdubey added a commit to aarushdubey/react that referenced this pull request Jan 23, 2026
@aarushdubey
Fix ReDoS vulnerability in Firefox stack trace parser (facebook#35490)
eab021f 
- Replace vulnerable regex pattern with safe alternative
- Use negated character class [^@] instead of nested quantifiers
- Prevents catastrophic backtracking on malicious input
- Maintains identical matching behavior for valid stack traces

Reference: PR facebook#35509
Fixes facebook#35490
@aarushdubey aarushdubey mentioned this pull request Jan 23, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

CLA Signed

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Bug: Inefficient Regular Expression Complexity in react

2 participants

@yujiteshima @guiyi-he