[minitech]

> exploits where long strings purportedly take a long time to process -- because they are slow to construct!

That’s not an accurate characterization of ReDoS. Even if a long string is required to produce the behavior, the vulnerability is that the string takes a disproportionately long time to process even for its length, such that it becomes disproportionately easy to bring down a service. The CVE scoring system gives denial of service way too much weight if you ask me, but it’s not a fake vulnerability.

[bawolff]

However i think there are people spamming fake redos vulns just to get creds. Things like, yeah, if you passed in 10 mb of input this would be a problem, but also some other layer limits it to 100 bytes.

ReDos is real in certain circumstances, but it is way way overhyped and usually bullshit.

[mmastrac]

You missed the point.

The code purported to be vulnerable is not slow because of the length of the string. The "example exploit" is slow because the reports use slow methods to construct the string under test. When timing the affected methods, they are _not_ slow.

[minitech]

Well, you didn’t link to that example exploit, and a random sampling from their profile looked legitimate. Do you have the specific link?