ReDoS attacks pose severe threats to real-world systems, yet a critical gap persists between academic research and industrial practice: most scholarly work lacks weaponized validation in realistic environments, while mainstream regex engines have already integrated built-in defenses—rendering traditional threat models obsolete. This paper bridges the divide by jointly analyzing academic literature and industrial regex engines (via source code, documentation, and empirical evaluation), systematically uncovering research gaps and deployment discrepancies in detection, protection, and mitigation. Our contributions are twofold: (1) We identify three open challenges—evaluating emerging defenses, supporting engineer migration to secure patterns, and unifying performance defect analysis with asymmetric DoS across engine families; (2) We propose an engineering-evolution–oriented ReDoS research framework that advances defense methods from theoretical constructs toward robust, production-ready deployment.

Regular Expression Denial of Service (ReDoS) is a vulnerability class that has become prominent in recent years. Attackers can weaponize such weaknesses as part of asymmetric cyberattacks that exploit the slow worst-case matching time of regular expression (regex) engines. In the past, problematic regular expressions have led to outages at Cloudflare and Stack Overflow, showing the severity of the problem. While ReDoS has drawn significant research attention, there has been no systematization of knowledge to delineate the state of the art and identify opportunities for further research. In this paper, we describe the existing knowledge on ReDoS. We first provide a systematic literature review, discussing approaches for detecting, preventing, and mitigating ReDoS vulnerabilities. Then, our engineering review surveys the latest regex engines to examine whether and how ReDoS defenses have been realized. Combining our findings, we observe that (1) in the literature, almost no studies evaluate whether and how ReDoS vulnerabilities can be weaponized against real systems, making it difficult to assess their real-world impact; and (2) from an engineering view, many mainstream regex engines now have ReDoS defenses, rendering many threat models obsolete. We conclude with an extensive discussion, highlighting avenues for future work. The open challenges in ReDoS research are to evaluate emerging defenses and support engineers in migrating to defended engines. We also highlight the parallel between performance bugs and asymmetric DoS, and we argue that future work should capitalize more on this similarity and adopt a more systematic view on ReDoS-like vulnerabilities.