Our website uses cookies to enhance your browsing experience.

Accept

Home

>

Documentation

>

Warnings

>

V5327. OWASP. Possible regex...

Introduction

How to enter the PVS-Studio license and what's the next move

PVS-Studio's trial mode

System requirements

Technologies used in PVS-Studio

Release history

Release history for previous versions (before 7.00)

Analyzing projects

On Windows

Getting acquainted with the PVS-Studio static code analyzer on Windows

Build-system independent analysis (C and C++)

Direct integration of the analyzer into build automation systems (C and C++)

On Linux and macOS

PVS-Studio C# installation on Linux and macOS

How to run PVS-Studio C# on Linux and macOS

Installing and updating PVS-Studio C++ on Linux

Installing and updating PVS-Studio C++ on macOS

How to run PVS-Studio C++ on Linux and macOS

Cross-platform

Direct use of Java analyzer from command line

Cross-platform analysis of C and C++ projects in PVS-Studio

PVS-Studio for embedded development

Analysis of C and C++ projects based on JSON Compilation Database

IDE

Get started with PVS-Studio in Visual Studio

Using PVS-Studio with JetBrains Rider and CLion

How to use the PVS-Studio extension for Qt Creator

How to integrate PVS-Studio in Qt Creator without the PVS-Studio plugin

Using the PVS-Studio extension for Visual Studio Code

Using PVS-Studio with IntelliJ IDEA and Android Studio

Build systems

Analyzing Visual Studio / MSBuild / .NET projects from the command line using PVS-Studio

Using PVS-Studio with the CMake module

Integrating PVS-Studio Java into the Gradle build system

Integrating PVS-Studio Java into the Maven build system

Game Engines

How to analyze Unity projects with PVS-Studio

Analysis of Unreal Engine projects

Continuous use of the analyzer in software development

Running PVS-Studio in Docker

Running PVS-Studio in Jenkins

Running PVS-Studio in TeamCity

How to upload analysis results to Jira

PVS-Studio and continuous integration

PVS-Studio's incremental analysis mode

Analyzing commits and pull requests

Unattended deployment of PVS-Studio

Speeding up the analysis of C and C++ code through distributed build systems (Incredibuild)

Integrating of PVS-Studio analysis results in code quality services (web dashboard)

Integration of PVS-Studio analysis results into DefectDojo

Integration of PVS-Studio analysis results into SonarQube

Integration of PVS-Studio analysis results into CodeChecker

Deploying the analyzer in cloud Continuous Integration services

Using with Travis CI

Using with CircleCI

Using with GitLab CI/CD

Using with GitHub Actions

Using with Azure DevOps

Using with AppVeyor

Using with Buddy

Managing analysis results

How to display the analyzer's most interesting warnings

How to use the OWASP diagnostic group in PVS-Studio

MISRA Coding Standards and Compliance

Baselining analysis results (suppressing warnings for existing code)

Handling the diagnostic messages list in Visual Studio

Suppression of false-positive warnings

How to view and convert analyzer's results

Relative paths in PVS-Studio log files

Viewing analysis results with C and C++ Compiler Monitoring UI

Notifying the developer teams (blame-notifier utility)

Filtering and handling the analyzer output through diagnostic configuration files (.pvsconfig)

Excluding files and directories from analysis

Additional configuration and resolving issues

Tips on speeding up PVS-Studio

PVS-Studio: troubleshooting

Additional diagnostics configuration

User annotation mechanism in JSON format

Annotating C and C++ entities in JSON format

Annotating C# entities in JSON format

Predefined PVS_STUDIO macro

Analysis configuration file (Settings.xml)

Settings: general

Settings: Common Analyzer Settings

Settings: Detectable Errors

Settings: Don't Check Files

Settings: Keyword Message Filtering

Settings: Registration

Settings: Specific Analyzer Settings

Analyzer diagnostics

PVS-Studio Messages

General Analysis (C++)

General Analysis (C#)

General Analysis (Java)

Micro-Optimizations (C++)

Micro-Optimizations (C#)

Diagnosis of 64-bit errors (Viva64, C++)

Customer specific requests (C++)

MISRA errors

AUTOSAR errors

OWASP errors (C++)

OWASP errors (C#)

OWASP errors (Java)

Problems related to code analyzer

Additional information

Credits and acknowledgements

Apr 02 2025

V5327. OWASP. Possible regex injection. Potentially tainted data is used to create regular expression

Apr 02 2025

The analyzer has detected that external data is used to create regular expressions without verification. This exposes the application to the risk of a Denial of Service (DoS) attack.

This vulnerability can be categorized under the OWASP Top 10 2021 classification as follows:

A3:2021 - Injection.

If the code looks like this:

@GetMapping("/check")
public String checkInput(@RequestParam("input") String input) {
    var match = vulnerableString.matches(input); // <=
    if (match) {
        return "Valid input";
    } else {
        return "Invalid input";
    }
}

Attackers can create an inefficient regular expression that degrades the application performance. In the worst case, if attackers can exploit an Evil Regex—a regular expression that causes execution to hang—it will result in DoS. Such an attack is called ReDoS.

To harden security, escape an output using Pattern.quote:

@GetMapping("/check")
public String checkInput(@RequestParam("input") String input) {
    var regex = Pattern.quote(input);
    var match = vulnerableString.matches(input);
    if (match) {
        return "Valid input";
    } else {
        return "Invalid input";
    }
}

This diagnostic is classified as:

CWE-1333 CWE-20 CWE-400

Was this page helpful?

If you can’t find an answer to your question, fill in the form below and our developers will contact you

By clicking this button you agree to our Privacy Policy statement

Fill out the form in 2 simple steps below:

Your contact information:

Step 1

Congratulations! This is your promo code!

Desired license type:

Step 2

Team license

Enterprise license

* Difference between Team and Enterprise

Didn't get our email?

By clicking this button you agree to our Privacy Policy statement

Request our prices

Why do we ask to use Business Email?

New License

License Renewal

I am a reseller

--Select currency--

USD

EUR

Didn't get our email?

By clicking this button you agree to our Privacy Policy statement

Free PVS‑Studio license for Microsoft MVP specialists

Why do we ask to use Business Email?

Didn't get our email?

By clicking this button you agree to our Privacy Policy statement

I want to join the test

Why do we ask to use Business Email?

Didn't get our email?

* By clicking this button you agree to our Privacy Policy statement

check circle

Message submitted.

Your message has been sent. We will email you at

If you do not see the email in your inbox, please check if it is filtered to one of the following folders:

Promotion
Updates
Spam

Want to try PVS‑Studio for free?