Specifying the regex timeout leaves the system vulnerable to a regex-based Denial of Service (DoS) attack. Consider setting the timeout to a short amount of time like 2 or 3 seconds. If you are sure you need an infinite timeout, double check that your context meets the conditions outlined in the “Notes to Callers” section at the bottom of this page: https://docs.microsoft.com/en-us/dotnet/api/system.text.regularexpressions.regex.-ctor?view=net-6.0
Likelihood: LOW
Confidence: MEDIUM
CWE:
- CWE-1333: Inefficient Regular Expression Complexity
OWASP:
- A
- 0
- 1
- :
- 2
- 0
- 1
- 7
-

- -
-

- I
- n
- j
- e
- c
- t
- i
- o
- n
When using System.Text.RegularExpressions to process untrusted input, pass a timeout. A malicious user can provide input to RegularExpressions that abuses the backtracking behaviour of this regular expression engine. This will lead to excessive CPU usage, causing a Denial-of-Service attack
Likelihood: LOW
Confidence: MEDIUM
CWE:
- CWE-1333: Inefficient Regular Expression Complexity
OWASP:
- A
- 0
- 1
- :
- 2
- 0
- 1
- 7
-

- -
-

- I
- n
- j
- e
- c
- t
- i
- o
- n