Not specifying a timeout for regular expressions can lead to a Denial-of-Service attack.
Pass a timeout when using `System.Text.RegularExpressions` to process untrusted input because a malicious user might craft a value for which the evaluation lasts excessively long.

== Ask Yourself Whether

* the input passed to the regular expression is untrusted.
* the regular expression contains patterns vulnerable to https://www.regular-expressions.info/catastrophic.html[catastrophic backtracking].

There is a risk if you answered yes to any of those questions.


== Recommended Secure Coding Practices

* It is recommended to specify a https://learn.microsoft.com/dotnet/standard/base-types/best-practices#use-time-out-values[`matchTimeout`] when executing a regular expression.
* Make sure regular expressions are not vulnerable to Denial-of-Service attacks by reviewing the patterns.
* Consider using a non-backtracking algorithm by specifying https://learn.microsoft.com/dotnet/api/system.text.regularexpressions.regexoptions?view=net-7.0[`RegexOptions.NonBacktracking`].