[Bug]: ReDoS vulnerability in log redaction patterns affects all logging

[coygeek]

Summary

Severity: P0/Critical (Score: 100/150)
CWE: CWE-1333 - Inefficient Regular Expression Complexity
OWASP: A05:2021 - Security Misconfiguration
File: src/logging/redact.ts:48-60

The logging.redactPatterns configuration accepts arbitrary regex patterns that are applied to every single log message system-wide. A malicious pattern causes catastrophic backtracking on routine log output, creating a system-wide performance degradation or complete hang that affects all functionality—not just logging.

Why this is critical: Unlike the session filter ReDoS (issue 031), this pattern runs on EVERY log line. Normal application operation generates dozens of log messages per second. A pattern like /(a+)+$/ matched against common log text containing sequences of similar characters can slow each log call from microseconds to seconds. The multiplication effect (bad pattern × high log volume) makes this particularly devastating. Worse: the slowdown masks its own symptoms since logging the error is itself slow.

Triage Assessment

Factor	Value	Score
Reachability	Config-dependent (requires config write access)	5/40
Impact	Denial of Service (system-wide slowdown)	20/50
Exploitability	Single malicious pattern	30/30
Verification	file:line ✓, code ✓, attack steps ✓	30/30
Category Modifier	Smoking Gun (arbitrary regex on all logs)	+15
Total	—	100/150

Steps to reproduce

1. Configure logging.redactPatterns with a pattern like ["/(a+)+$/"]
2. Trigger any logging with text matching the vulnerable pattern
3. Observe severe slowdown or hang on log operations

Expected behavior

Redaction patterns should be validated for complexity before use, or have execution timeouts.

Actual behavior

Arbitrary regex patterns from config are compiled and executed against every log message without any safety checks.

Affected code location:

File (src/logging/redact.ts:48-60):

function parsePattern(raw: string): RegExp | null {
  if (!raw.trim()) return null;
  const match = raw.match(/^\/(.+)\/([gimsuy]*)$/);
  try {
    if (match) {
      const flags = match[2].includes("g") ? match[2] : `${match[2]}g`;
      return new RegExp(match[1], flags);
    }
    return new RegExp(raw, "gi");
  } catch {
    return null;
  }
}

Environment

• Version: latest (main branch)
• OS: Any
• Install method: Any

Logs or screenshots

N/A - issue is in code logic

Impact

• System-wide: Redaction is applied to every single log message
• Observability: Slowed logging can mask ongoing attacks
• Availability: Severe patterns can effectively DoS the entire system

Recommended fix

1. Validate regex patterns using safe-regex before acceptance
2. Consider pre-defined redaction patterns instead of arbitrary regex
3. Add execution timeout for pattern matching
4. Log a warning and skip patterns that fail safety validation

[coygeek]

CVSS Assessment

Metric	Value
Score	4.4 / 10.0
Severity	Medium
Vector	CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H

CVSS v3.1 Calculator

[coygeek]

Closing as duplicate - src/logging/redact.ts ReDoS is explicitly covered in #6027 (ReDoS via User-Controllable Regular Expression Patterns).

[coygeek]

Reopening - this is the original filing. Later duplicates will be closed instead.

[openclaw-barnacle]

This issue has been automatically marked as stale due to inactivity.
Please add updates or it will be closed.

[sebslight]

Closing as duplicate of #5123. If this is incorrect, please contact us.