Regex Dos in Feathersjs with Basic Auth

When FeathersJS services use Basic Authentication, credentials are typically extracted from the Authorization header and validated via regular expressions. A Regex DoS (ReDoS) occurs when an attacker supplies a specially crafted string that causes an exponential backtracking path in an insecure regular expression. In the context of FeathersJS with Basic Auth, this often manifests in user-supplied values such as usernames, passwords, or API keys that are matched against patterns before authentication logic is applied.

For example, a developer might write a regex to validate a username or an API key like /^(?:[a-zA-Z0-9_]+)$/. While this specific pattern is safe, many implementations use more permissive patterns to support legacy systems or special characters. Patterns that include nested quantifiers, optional overlapping groups, or ambiguous repetition are vulnerable: /^(a+)+$/ or /([a-zA-Z0-9._%-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,4}) with subtle character class ambiguities can become catastrophic when matched against crafted input.

In FeathersJS, if the regex runs synchronously on each request before any asynchronous guards or hooks, a single malicious request can consume significant CPU time. Because the authentication step occurs early in the hook chain, an attacker can repeatedly trigger the vulnerable regex without needing valid credentials. This unauthenticated attack surface is especially concerning because FeathersJS often exposes services publicly. The combination of a vulnerable regex in the Basic Auth validation path and unauthenticated probing means an attacker can launch a ReDoS attack without prior access, leading to high CPU utilization and denial of service for legitimate users.

Using middleBrick’s unauthenticated scan, such regex issues are surfaced across the 12 security checks, including Input Validation and Authentication. The scan does not fix the regex but provides prioritized findings with severity, reproduction steps, and remediation guidance. This is important because the impact is immediate: a single request can stall event-loop processing in Node.js environments, affecting all users of the service.

To mitigate Regex DoS in FeathersJS when using Basic Auth, focus on three areas: validate and simplify regular expressions, avoid synchronous regex on untrusted input, and enforce strict parsing before authentication logic. Below are concrete code examples that demonstrate a vulnerable pattern and a hardened alternative.

Vulnerable pattern example

// Avoid: Nested quantifiers can cause exponential backtracking
const usernameRegex = /^(a+)+$/;
app.hooks.before.push({
  type: 'validate',
  fn: context => {
    const authHeader = context.params.headers.authorization || '';
    const match = authHeader.match(/^Basic (.*)$/);
    if (match) {
      const [user, pass] = Buffer.from(match[1], 'base64').toString().split(':');
      if (!usernameRegex.test(user)) {
        throw new Error('Invalid username');
      }
    }
    return context;
  }
});

Hardened remediation with safe regex and early validation

// Use a safe, non-backtracking pattern and fail fast
const safeUsernameRegex = /^[a-zA-Z0-9._-]{1,64}$/;

function parseBasicAuth(header) {
  if (!header || !header.startsWith('Basic ')) {
    return null;
  }
  try {
    const decoded = Buffer.from(header.slice(6), 'base64').toString('utf8');
    const separatorIndex = decoded.indexOf(':');
    if (separatorIndex === -1) return null;
    const user = decoded.slice(0, separatorIndex);
    const pass = decoded.slice(separatorIndex + 1);
    return { user, pass };
  } catch (error) {
    return null;
  }
}

app.hooks.before.push({
  type: 'validate',
  fn: async context => {
    const header = context.params.headers.authorization || '';
    const credentials = parseBasicAuth(header);
    if (!credentials) {
      throw new Error('Unauthorized');
    }
    // Use a safe, length-bounded regex to prevent ReDoS
    if (!safeUsernameRegex.test(credentials.user)) {
      throw new Error('Invalid username format');
    }
    // Proceed with your auth strategy (e.g., verify credentials against a store)
    context.params.auth = credentials;
    return context;
  }
});

Additional recommendations include using asynchronous validation hooks where possible to avoid blocking the event loop, setting reasonable timeouts for authentication steps, and monitoring for abnormal request patterns that may indicate an ongoing ReDoS attempt. With middleBrick’s GitHub Action, you can add API security checks to your CI/CD pipeline and fail builds if risky patterns are detected in committed hooks or configuration.