Skip to content
BEAD

Regex Safety Analyzer

Flag catastrophic-backtracking shapes in regex patterns and probe with synthetic worst-case inputs.

High risk
This pattern has shapes known to cause exponential backtracking, or it slowed measurably on a synthetic worst case.
Findings (1)
Nested quantifier
A quantifier inside a group that is itself quantified is the canonical ReDoS pattern.
(a+)+
Synthetic worst-case probes
InputTime (ms)Matched
aaaaaaaa…(×10)!0.06yes
aaaaaaaa…(×20)!0.06yes
aaaaaaaa…(×25)!0.00yes
aaaaaaaa…(×28)!0.00yes
</>Use this tool programmaticallycurl · JavaScript · MCP

Same tool, callable from any HTTP client or from Claude (via MCP). Anonymous: 100 req/day per IP. Sign up for 1,000 req/day.

curl
curl https://api.b-e-a-d.com/tools/regex-safety/run \
  -H "Content-Type: application/json" \
  -d '{
  "pattern": "\\d+"
}'
JavaScript (fetch)
const res = await fetch("https://api.b-e-a-d.com/tools/regex-safety/run", {
  method: "POST",
  headers: { "Content-Type": "application/json" },
  body: JSON.stringify({
  "pattern": "\\d+"
}),
});
const data = await res.json();
console.log(data.result);
MCP (Claude Desktop / Claude Code)
# In Claude Desktop / Claude Code, add to your MCP config:
{
  "mcpServers": {
    "bead": {
      "command": "npx",
      "args": ["-y", "mcp-remote", "https://mcp.b-e-a-d.com"]
    }
  }
}

# Then ask Claude to call:
mcp__bead__bead_regex_safety

Full reference: developer docs · OpenAPI spec

What we flag

  • Nested quantifiers — (a+)+, (a*)*
  • Alternation with overlap inside a quantifier — (a|a)*
  • Quantifier on a group containing a quantifier — classic ReDoS pattern
  • Unbounded greedy followed by an anchored suffix — slow-match risk
  • Excessive lookbehinds / lookaheads

Caveats

Heuristic only. We catch the obvious shapes that destroy real services; we don't prove safety. For high-stakes inputs, run the pattern against pathological strings or use a non-backtracking engine (RE2 / Hyperscan).

You might also like

Used in these workflows