Regex Safety Analyzer
Flag catastrophic-backtracking shapes in regex patterns and probe with synthetic worst-case inputs.
High risk
This pattern has shapes known to cause exponential backtracking, or it slowed measurably on a synthetic worst case.
Findings (1)
Nested quantifier
A quantifier inside a group that is itself quantified is the canonical ReDoS pattern.
(a+)+Synthetic worst-case probes
| Input | Time (ms) | Matched |
|---|---|---|
| aaaaaaaa…(×10)! | 0.06 | yes |
| aaaaaaaa…(×20)! | 0.06 | yes |
| aaaaaaaa…(×25)! | 0.00 | yes |
| aaaaaaaa…(×28)! | 0.00 | yes |
</>Use this tool programmaticallycurl · JavaScript · MCP
Same tool, callable from any HTTP client or from Claude (via MCP). Anonymous: 100 req/day per IP. Sign up for 1,000 req/day.
curl
curl https://api.b-e-a-d.com/tools/regex-safety/run \
-H "Content-Type: application/json" \
-d '{
"pattern": "\\d+"
}'JavaScript (fetch)
const res = await fetch("https://api.b-e-a-d.com/tools/regex-safety/run", {
method: "POST",
headers: { "Content-Type": "application/json" },
body: JSON.stringify({
"pattern": "\\d+"
}),
});
const data = await res.json();
console.log(data.result);MCP (Claude Desktop / Claude Code)
# In Claude Desktop / Claude Code, add to your MCP config:
{
"mcpServers": {
"bead": {
"command": "npx",
"args": ["-y", "mcp-remote", "https://mcp.b-e-a-d.com"]
}
}
}
# Then ask Claude to call:
mcp__bead__bead_regex_safetyFull reference: developer docs · OpenAPI spec
What we flag
- Nested quantifiers —
(a+)+,(a*)* - Alternation with overlap inside a quantifier —
(a|a)* - Quantifier on a group containing a quantifier — classic ReDoS pattern
- Unbounded greedy followed by an anchored suffix — slow-match risk
- Excessive lookbehinds / lookaheads
Caveats
Heuristic only. We catch the obvious shapes that destroy real services; we don't prove safety. For high-stakes inputs, run the pattern against pathological strings or use a non-backtracking engine (RE2 / Hyperscan).
You might also like
- Find & ReplaceBulk find-and-replace over text with optional regex, case sensitivity, and whole-word matching.
- Regex Cheat Sheet & BuilderBrowse regex tokens, click to build, and try the result against a sample — all in one place.
- Regex TesterTest JavaScript regular expressions with live match highlighting and capture groups.
- .env File ParserParse a .env file into JSON, with quoted-value and export support — and warn about anything fishy.