The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.
Use regular expressions that do not support backtracking, e.g. by removing nested quantifiers.
Set backtracking limits in the configuration of the regular expression implementation, such as PHP's pcre.backtrack_limit. Also consider limits on execution time for the process.
Do not use regular expressions with untrusted input. If regular expressions must be used, avoid using backtracking in the expression.
Limit the length of the input that the regular expression will process.
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
CVE-2020-5243server allows ReDOS with crafted User-Agent strings, due to overlapping capture groups that cause excessive backtracking.
CVE-2021-21317npm package for user-agent parser prone to ReDoS due to overlapping capture groups
CVE-2019-16215Markdown parser uses inefficient regex when processing a message, allowing users to cause CPU consumption and delay preventing processing of other messages.
CVE-2019-6785Long string in a version control product allows DoS due to an inefficient regex.
CVE-2019-12041Javascript code allows ReDoS via a long string due to excessive backtracking.