What causes ReDoS in Python regex ?

Nested quantifiers like (.*)+ or overlapping alternatives force exponential backtracking on crafted inputs.

Which Python packages have dangerous regex patterns?

Aiohttp's WebSocket parser, pytest's expressions, plus hits in Flask, Django, Scrapy, Celery—23 total from 20 scanned.

Use atomic groups (?>...) or possessive quantifiers (?+) in Python 3.11+; static AST analysis spots them early. Word count: 1027.

🔒 Security & Privacy

One bad regex nearly took down Cloudflare globally. I audited 20 Python staples like Flask and Pandas—23 ticking time bombs remain.

theAIcatchup Apr 08, 2026 4 min read

Static AST analysis detects ReDoS risks without test inputs, flagging 23 in top Python libs. 𝕏
Aiohttp and pytest show real-world examples; fixes via atomic groups in Python 3.11+. 𝕏
Echoes Heartbleed—overlooked regex in deps could spark next big outage. 𝕏

Published by

Community-driven. Code-first.

#Cloudflare incident #Python packages security #Python regex #Python regex vulnerabilities #ReDoS #ReDoS vulnerabilities #aiohttp security #static analysis #vulnerable libraries #vulnerable packages

Get the best Open Source stories of the week in your inbox — no noise, no spam.

Originally reported by Dev.to