Regular expressions have exponential time worst case complexity and its usage are blocking operations. This provides the ability of ReDoS attack.
time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCX")' // real 0.529s time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCCX")' // real 3.809s
My suggestion is to make regexp asynchronous and cancellable. This will allow us to reliably protect ourselves from such attacks in production, because we always (almost) know how complex the string is expected to be for a given matcher, and the other cases are most likely an attack and do not need to check them.