ReDoctor¶

The Python ReDoS Vulnerability Scanner

Protect your applications from Regular Expression Denial of Service attacks with static analysis and intelligent fuzzing.

:rocket: Get Started :fontawesome-brands-github: View on GitHub

What is ReDoS?¶

Regular Expression Denial of Service (ReDoS) is a type of algorithmic complexity attack that exploits the worst-case behavior of regex engines. A vulnerable regex can cause your application to hang for minutes—or even hours—when processing malicious input.

This innocent-looking regex is VULNERABLE!

import re
pattern = r"^(a+)+$"

# This will hang your application:
re.match(pattern, "a" * 30 + "!")  # Takes exponential time!

ReDoctor detects these vulnerabilities before they reach production.

Quick Start¶

1 Install¶

pip install redoctor

2 Check¶

redoctor '^(a+)+$'
# VULNERABLE: ^(a+)+$ - O(2^n)

3 Integrate¶

from redoctor import check

result = check(r"^(a+)+$")
if result.is_vulnerable:
    print(f"Attack: {result.attack}")

Features¶

Hybrid Analysis Engine¶

Combines static automata-based analysis with intelligent fuzzing for comprehensive detection. Catches vulnerabilities that single-approach tools miss.

Fast & Zero Dependencies¶

Pure Python with no external dependencies. Runs in milliseconds for most patterns. Compatible with Python 3.6+.

Accurate Results¶

Generates proof-of-concept attack strings with complexity analysis (O(n²), O(2ⁿ), etc.). Low false-positive rate through recall validation.

Source Code Scanning¶

Scan your entire Python codebase for vulnerable regex patterns. Integrates seamlessly with CI/CD pipelines.

Complexity Analysis¶

ReDoctor classifies vulnerabilities by their time complexity:

Complexity	Description	Risk Level
`O(n)`	Linear — Safe	Safe
`O(n²)`	Quadratic	Moderate
`O(n³)`	Cubic	High
`O(2ⁿ)`	Exponential	Critical

How It Works¶

┌─────────────────────────────────────────────────────────────┐
│                     ReDoctor Engine                         │
├─────────────────────────────────────────────────────────────┤
│                                                             │
│  ┌─────────────────┐         ┌─────────────────┐           │
│  │   Automaton     │         │     Fuzz        │           │
│  │   Checker       │         │    Checker      │           │
│  │                 │         │                 │           │
│  │  • NFA analysis │         │  • VM execution │           │
│  │  • Witness gen  │         │  • Step counting│           │
│  └────────┬────────┘         └────────┬────────┘           │
│           │                           │                     │
│           └───────────┬───────────────┘                     │
│                       │                                     │
│              ┌────────▼────────┐                            │
│              │ Recall Validator│                            │
│              └────────┬────────┘                            │
│                       │                                     │
│              ┌────────▼────────┐                            │
│              │   Diagnostics   │                            │
│              └─────────────────┘                            │
└─────────────────────────────────────────────────────────────┘

Learn more about how ReDoctor works →

Get Started¶

Read the Guide API Reference :terminal: CLI Docs

500+ Tests Passing

0 Dependencies

3.6+ Python Version

<10ms Typical Analysis