Claude Slack Bot Helper Exposed to ReDoS via Markdown Table Regex

A critical regex pattern within Claude's Slack bot helper contains nested quantifiers, creating a potential vector for catastrophic backtracking and CPU exhaustion. The vulnerability, located in the `MARKDOWN_TABLE_RE` constant, could allow a malicious actor to craft a Slack message payload that triggers a ReDoS (Regular Expression Denial of Service) attack, causing the bot to hang.

The flaw resides in the helper file `.claude/skills/setup-spa/helpers.ts` at line 668. The regex `\|.+\|\n\|[-: |]+\|\n(?:\|.+\|\n?)*` is designed to parse markdown tables but uses the `.+` and `(?:...)*` quantifiers in a nested fashion. This structure becomes dangerous when processing input with thousands of pipe characters that do not form a valid table, forcing the engine into exponential backtracking. The attack surface is publicly reachable via Slack messages, though the probability of exploitation is currently assessed as low.

While the severity is officially rated as LOW, the impact is clear: CPU exhaustion leading to a denial of service for the bot. The exploitability is medium, hinging on a user submitting a maliciously crafted payload. The recommended mitigation is twofold: implement an input length limit (e.g., rejecting raw text over 50,000 characters before regex matching) or, more robustly, replace the vulnerable regex with a linear-time parser that avoids nested quantifiers entirely. This finding underscores the persistent risk of ReDoS in seemingly innocuous text-processing utilities within collaborative platforms.