Bug: Inefficient Regular Expression Complexity in react

Summary

A Regular Expression Denial of Service (ReDoS) vulnerability was identified in Facebook React within the react-devtools-shared package. The issue exists in the backend/utils.js component, specifically within the regular expressions used for parsing at lines 368, 369, 381, and 417. By providing a specially crafted input string to the DevTools backend, an attacker or a malicious website being inspected can trigger catastrophic backtracking. This leads to excessive CPU consumption and causes the browser tab or the DevTools process to become unresponsive, resulting in a Denial of Service (DoS).

Details

https://github.com/facebook/react/blob/68dbd84b61cc2504c30e19f748f59a52d331f851/packages/react-devtools-shared/src/backend/utils.js#L368 https://github.com/facebook/react/blob/68dbd84b61cc2504c30e19f748f59a52d331f851/packages/react-devtools-shared/src/backend/utils.js#L369 https://github.com/facebook/react/blob/68dbd84b61cc2504c30e19f748f59a52d331f851/packages/react-devtools-shared/src/backend/utils.js#L381 https://github.com/facebook/react/blob/68dbd84b61cc2504c30e19f748f59a52d331f851/packages/react-devtools-shared/src/backend/utils.js#L417

PoC

PoC for line 368:

/**
 * ReDoS PoC for regexId: 6 (Validated and Optimized)
 *
 * Target Regex: /\)+$/
 * Dataflow Path: componentStack -> split('\n') -> trim() -> replace(/^\(+/) -> SINK: replace(/\)+$/)
 * Path Constraints: Must pass Chrome stack format check
 * Data Transformations: split('\n'), trim(), replace(/^\(+/, "")
 *
 * Generated Time: 2025-12-02
 * Phase: Phase 3 - Optimized (2 iterations)
 * Status: VALIDATED SUCCESS
 *
 * === VALIDATION RESULTS ===
 * Phase 2 Result: FAILED (Not reaching target Sink)
 * Phase 3 Iterations: 2
 *
 * Iteration 1: Added ':' to suffix to satisfy path constraint (url.indexOf(':') !== -1)
 *   Result: Reached Sink but insufficient time (1.455s < 2000ms)
 *
 * Iteration 2: Increased repeatTimes from 80,000 to 200,000
 *   Result: SUCCESS - Sink execution time