skip to content
Back to
Home Bounties Research Advisories Get Involved Events
October 8, 2021

GHSL-2021-118: ReDoS (Regular Expression Denial of Service) in Zulip - CVE-2021-41115

GitHub Security Lab

Coordinated Disclosure Timeline


Zulip contains a regular expression that is vulnerable to ReDoS (Regular Expression Denial of Service).



Tested Version




ReDoS, or Regular Expression Denial of Service, is a vulnerability affecting inefficient regular expressions which can perform extremely badly when run on a crafted input string.

This vulnerability was found using a CodeQL query which identifies inefficient regular expressions. You can see the results of the query on Zulip by following this link.

Two separate regular expressions are vulnerable, as described below.

Regex 1: Custom linkifiers in zerver/

The vulnerable regular expression is here.

Please follow these steps to reproduce the issue on a live Zulip organization:


A second way to see that the regular expression is vulnerable is to copy-paste it into a separate file as shown below:

import re
regex = re.compile(r"^(?:(?:[\w\-#_= /:]*|[+]|[!])(\(\?P<\w+>.+\)))+$")

Regex 2: Markdown extensions in zerver/openapi/

The vulnerable regular expression is here.

To see that the regular expression is vulnerable, copy-paste it into a separate file as shown below:

import re
regex = re.compile(r"\{generate_code_example(\(\s*(.+?)\s*\))*\|\s*(.+?)\s*\|\s*(.+?)\s*(\(\s*(.+)\s*\))?\}");


This issue may lead to a denial of service.



This issue was discovered by GitHub team members @erik-krogh (Erik Krogh Kristensen) and @yoff (Rasmus Petersen).


You can contact the GHSL team at, please include a reference to GHSL-2021-118 in any communication regarding this issue.