Skip to main content
ReDoS Spike in npm: What 143% Growth Means for Your PipelineIncident
4 min readFor Security Engineers

ReDoS Spike in npm: What 143% Growth Means for Your Pipeline

The Issue at Hand

Between 2017 and 2018, ReDoS (Regular Expression Denial of Service) vulnerabilities in npm packages surged by 143%. This wasn't an isolated incident but a widespread issue across the Node.js ecosystem. Notably, 78% of these vulnerabilities were found in indirect dependencies, likely missed by your security scanning tools during initial code reviews.

In Node.js applications, the problem is exacerbated by the runtime's single-threaded architecture. A single regex catastrophic backtracking event can block the entire event loop, transforming a millisecond operation into a multi-second freeze that affects your entire application.

Understanding the Timeline

The data reflects a year-over-year trend rather than a single event:

  • 2017 Baseline: Typical vulnerability distribution in the npm ecosystem.
  • 2018: 143% increase in reported ReDoS vulnerabilities.
  • Ongoing: XSS vulnerabilities continue to rise across open-source ecosystems.
  • Current State: 78% of vulnerabilities exist in indirect dependencies.

This isn't a breach timeline but a timeline of growing vulnerability debt. Delaying action only increases your exposure.

Identifying Control Failures

The failures here were architectural and procedural, not about missing firewalls or unpatched servers:

  • Dependency Vetting Lapses: Teams often review direct dependencies but neglect the indirect ones. Your package.json might list 15 dependencies, but npm ls could reveal over 400 packages in your node_modules. You're accountable for all of them.

  • Misplaced Input Validation: Validation is often implemented in application code, missing that npm packages process untrusted input through regex patterns. By then, the vulnerable regex has already executed.

  • Overlooked Single-Threaded Risks: If you're running Node.js in production, your threat model should explicitly address event loop blocking. Many don't, treating DoS as a network-layer issue and missing application-layer DoS.

  • Lack of SCA for Indirect Dependencies: Software Composition Analysis tools typically scan direct dependencies. Few scan the full dependency tree or flag ReDoS patterns in deeply nested regex implementations.

Compliance Standards and Requirements

  • PCI DSS v4.0.1 requires identifying and addressing common coding vulnerabilities during development. OWASP lists ReDoS under A06:2021 – Vulnerable and Outdated Components. You can't claim compliance if 78% of your dependency tree is unvetted.

  • OWASP ASVS v4.0.3 Section 5.1.5 mandates validation of untrusted data before processing. This applies to npm packages using new RegExp(userInput) or processing user-supplied strings against complex patterns.

  • ISO/IEC 27001:2022 Control 8.31 requires maintaining security throughout the supply chain. Your npm dependencies are part of this supply chain.

  • NIST 800-53 Rev 5 SA-15 requires establishing security requirements for third-party components. "We trust npm" is not sufficient. You need specific criteria: no known ReDoS patterns, regex complexity limits, and test coverage for edge cases.

Actionable Steps for Your Team

1. Map Your Full Dependency Tree

Run npm ls --all > dependencies.txt to see your actual attack surface. If you're scanning only direct dependencies, you're missing 78% of the risk. Add this to your CI pipeline:

npm audit --production --audit-level=moderate
npm ls --parseable | wc -l > dependency_count.txt

Track this number over time. If it's growing faster than your feature velocity, you have a dependency bloat problem.

2. Implement Regex Complexity Limits

Node.js won't protect you from catastrophic backtracking. You need to:

  • Set a timeout for regex operations in request handlers (use AbortController with a 100ms timeout).
  • Flag any regex with nested quantifiers ((a+)+, (a*)*) during code review.
  • Use static analysis tools that detect ReDoS patterns (ESLint plugin eslint-plugin-security, npm package safe-regex).

A single endpoint processing user input through a vulnerable regex can take down your entire Node.js cluster.

3. Prioritize Indirect Dependencies in SCA

Your SCA tool should:

  • Scan the full node_modules tree, not just package.json.
  • Flag packages with known ReDoS CVEs.
  • Alert on packages that haven't been updated in over two years.

If your tool can't do this, consider alternatives like Snyk, Dependabot, and Socket.dev. Configure them to fail builds on high-severity findings in any dependency layer.

4. Add Event Loop Monitoring

Deploy event loop lag monitoring in production. If your p99 event loop lag exceeds 50ms, you have a blocking operation somewhere -- possibly a ReDoS attack in progress.

Use perf_hooks or a library like loopbench. Alert on sustained lag spikes for detection capability even if you miss a vulnerability during scanning.

5. Document Your Dependency Acceptance Criteria

For PCI DSS and ISO 27001 compliance, document criteria for accepting third-party code:

  • Maximum dependency age (e.g., no packages unmaintained for over 18 months).
  • Required test coverage threshold.
  • Regex complexity limits.
  • Maintainer reputation checks (GitHub stars, download counts, security disclosure process).

Review this quarterly. Your 2018 criteria don't match your 2024 threat landscape.

6. Isolate Regex Processing

If you're processing user input through complex patterns, run it in a worker thread or separate process. This prevents a single malicious input from affecting your entire application.

Consider this your circuit breaker for regex operations. The 143% spike in ReDoS vulnerabilities means this isn't paranoia -- it's due diligence.


The 143% increase in ReDoS vulnerabilities isn't slowing down. Every npm package you add multiplies your exposure, and 78% of that exposure lives in dependencies you never directly chose. Your scanning tools, threat models, and acceptance criteria need to reflect this reality. Start with the dependency tree map. You can't protect what you can't see.

Topics:Incident

You Might Also Like