Untrusted data is passed to the application and used as a regular expression. This can cause the thread to over-consume CPU resources.
There is a vulnerability in implementations of regular expression evaluators and related methods that can cause the thread to hang when evaluating repeating and alternating overlappting of nested and repeated regex groups. This defect can be used to execute a DOS (Denial of Service) attack.
Example:
(e+)+
([a-zA-Z]+)*
(e|ee)+
[1] Standards Mapping - OWASP Top 10 2004 - (OWASP 2004) A1 Unvalidated Input
[2] Standards Mapping - Common Weakness Enumeration - (CWE) CWE ID 185
[3] Standards Mapping - SANS Top 25 2009 - (SANS 2009) Insecure Interaction - CWE ID 020
[4] Bryan Sullivan Regular Expression Denial of Service Attacks and Defenses