fix:Potential ReDoS Vulnerability or Inefficient Regular Expression in Project: Need for Assessment and Mitigation

[mmmsssttt404]

Steps to reproduce
Hello,

I am writing to report a potential Regular Expression Denial of Service (ReDoS) vulnerability or Inefficient Regular Expression in the project. When using specially crafted input strings in the context, it may lead to extremely high CPU usage, application freezing, or denial of service attacks.

Location of Issue:

The vulnerability is related to a regular expression used in the following validation file, which may result in significantly prolonged execution times under certain conditions.

dayjs/src/constant.js

Line 30 in 6e83128

export const REGEX_FORMAT = /\[([^\]]+)]|Y{1,4}|M{1,4}|D{1,2}|d{1,4}|H{1,2}|h{1,2}|a|A|m{1,2}|s{1,2}|Z{1,2}|SSS/g

dayjs/src/plugin/localizedFormat/utils.js

Line 3 in 6e83128

format.replace(/(\[[^\]]+])|(MMMM|MM|DD|dddd)/g, (_, a, b) => a || b.slice(1))

dayjs/src/plugin/localizedFormat/utils.js

Line 14 in 6e83128

export const u = (formatStr, formats) => formatStr.replace(/(\[[^\]]+])|(LTS?|l{1,4}|L{1,4})/g, (_, a, b) => {

1.git clone https://gitclone.com/github.com/mmmsssttt404/dayjs.git
2.npm install
3.npm test -- test/plugin/localizedFormat.test.js --coverage=falsequit
//or npm test

use time: (More than 10s)

Proposed Solution:
Change the regular expression to

https://github.com/mmmsssttt404/dayjs/blob/a6b0f1da9dba76d6beec6573d188f6aa74fca225/src/constant.js#L30

https://github.com/mmmsssttt404/dayjs/blob/a6b0f1da9dba76d6beec6573d188f6aa74fca225/src/plugin/localizedFormat/utils.js#L1-L17

Thank you for your attention to this matter. Your evaluation and response to this potential security concern would be greatly appreciated.

Best regards,

Search keywords: ReDoS

[mmmsssttt404]

Benchmarks show clear quadratic growth with input size, not linear. Even at ~100k chars, runtime reaches several seconds. ReDoS does not require exponential blowup — quadratic behavior is already recognized as exploitable