
CVE-2021-27293: Fix NewDateRegex

This advisory was emailed to the maintainer. Posting here as an issue as requested.

Doyensec Vulnerability Advisory

  • Regular Expression Denial of Service (REDoS) in RestSharp
  • Affected Product: RestSharp (All released versions)
  • Vendor:
  • Severity: Medium
  • Vulnerability Class: Denial of Service
  • Status: Open
  • Author: Ben Caller (Doyensec)


The .NET library RestSharp uses a regular expression which is vulnerable to Regular Expression Denial of Service (REDoS) when converting strings into DateTimes. If a server responds with a malicious string, the client using RestSharp will be stuck processing it for an exceedingly long time. This allows the remote server to trigger a Denial of Service.


The vulnerable regular expression is NewDateRegex in RestSharp.Extensions.StringExtensions:

static readonly Regex NewDateRegex = new Regex(@"newDate\((-?\d+)*\)");

It is used by the ParseJsonDate function when deserializing JSON responses into classes with DateTime properties.

Due to the (-?\d+)* part containing nested repeats, this regular expression has catastrophic backtracking when processing a long string of digits. The behaviour occurs as long as the digits are not followed immediately by a closing parenthesis ')'.

An example of a REDoS payload is new Date(12345678901234567890123456789012345.

The space between 'new' and 'Date' is required due to pre-processing in ParseJsonDate:

if (input.Contains("new Date("))
input = input.Replace(" ", "");

The complexity is exponential: increasing the length of the malicious string of digits by one makes processing take about twice as long. On my laptop, 27 digits takes about 16 seconds to process and 28 digits takes about 32 seconds, so a string with 54 digits should take approximately 68 years to process.

The vulnerable regular expression was first introduced in commit 373a0a3


The REDoS can be triggered by calling RestSharp.Extensions.StringExtensions.ParseJsonDate directly, or by deserializing JSON responses into a class with a property of type DateTime.

Example C# code to see the effect of the REDoS is attached below. Changing the length of the string of zeroes will change the processing time.

using System;
using System.Globalization;
using RestSharp;
using RestSharp.Extensions;
using RestSharp.Serialization.Json;

namespace DoyensecRestSharpRedosTest
    class Thing
        public DateTime Time { get; set; }

    class Program
        static void ByParseJsonDate()
            var redos = "new Date(" + new String('0', 30);
            DateTime dt = StringExtensions.ParseJsonDate(redos, CultureInfo.InvariantCulture);

        static void ByDeserializer()
            var redosJson = @"{""Time"": ""new Date(" + new String('0', 30) + @"""}";
            var thing = (new JsonDeserializer()).Deserialize<Thing>(new RestResponse {Content = redosJson});

        static void ByRequest()
            // Server should return JSON {"Time": "new Date(000000000000000000000000000000"}
            Thing thing = new RestClient("https://localhost/thing.json").Execute<Thing>(new RestRequest(Method.GET)).Data;

        static void Main(string[] args)
            ByDeserializer(); // or try ByParseJsonDate() or ByRequest()


Fix NewDateRegex. We propose simply removing the asterisk:

    static readonly Regex NewDateRegex = new Regex(@"newDate\((-?\d+)\)");


@bcaller I can see a fix to this vulnerability, but on which version can we get this update?

@abhijeet490 The patch has not reviewed or merged. If you want the fix anytime soon you may need to make a fork.

I see that this issue has been closed, but the vulnerability still exists in version 106.11.7. On what version will this fix be released?

106.11.8-alpha.0.13 ๐Ÿ˜†

When could we expect a stable release which includes this fix?

I'm honestly asking, is it the common practice to share CVE publicly before the fix was released and adopted?

CVE's are already public knowledge. But its disappointing that its been since February without a patch.

@b-c-ds This issue should not be closed. Can you please confirm whether an official release is planned?

@gavinBurtonStoreFeeder I'm not a maintainer. It won't let me reopen the issue. Sorry. I only reported this issue and contributed one pull request. I don't think this project is super active so I wouldn't hold my breath waiting for a non-alpha release.
Also, if you aren't deserialising DateTimes you should be able to ignore this vulnerability.

This issue still exist when this will be fixed.

The PR was included to 106.12.0 release