CVE-2026-35458: Go Dlclark Regexp2 Compile Without Match Timeout
regexp2.Compile result is used without assigning a MatchTimeout. The github.com/dlclark/regexp2 engine supports backtracking and defaults MatchTimeout to math.MaxInt64 (no timeout). When the pattern source is attacker-controlled (e.g. parsed from a request header or form field), a crafted regex with nested quantifiers can cause exponential backtracking and h
greprules fetch cve-2026-35458-go-dlclark-regexp2-compile-without-match-timeout --engine opengrepDescription
regexp2.Compile result is used without assigning a MatchTimeout. The github.com/dlclark/regexp2 engine supports backtracking and defaults MatchTimeout to math.MaxInt64 (no timeout). When the pattern source is attacker-controlled (e.g. parsed from a request header or form field), a crafted regex with nested quantifiers can cause exponential backtracking and h
Detection target
Not provided
Recommended fix
Not provided
False-positive notes
Not provided
Community feedback
Sign in to report false positives, mark this rule useful, or suggest metadata improvements.