Security Review Flags Potential ReDoS Vulnerability in Nexus-Agents Base64 Detection Regex

A code review conducted under internal security protocol MED #11 has identified a potential Regular Expression Denial of Service (ReDoS) vulnerability in the Nexus-Agents input sanitization module. The flaw resides in `packages/nexus-agents/src/security/input-sanitizer.ts` at line 103, where base64 detection relies on a regex pattern containing lookahead assertions: `/(?=[A-Za-z0-9+/]*[g-zG-Z+/=])[A-Za-z0-9+/]{40,}={0,2}/`. The pattern is classified under CWE-1333, which covers inefficient regular expression complexity.

The problematic regex uses a lookahead that scans for characters outside the standard base64 charset before matching large sequences of valid characters. This construction creates conditions for catastrophic backtracking when processing inputs that partially resemble base64 but fail to match completely. Specifically, payloads combining mixed character sets with lengths near or exceeding the 40-character threshold can trigger exponential evaluation time, causing the parsing process to hang or consume excessive CPU resources. The review notes that the current implementation lacks a pre-check length cap, which would otherwise bound runtime exposure.

The discovering party characterizes the impact as a DoS-on-self scenario—meaning the vulnerability primarily threatens the service running the sanitization logic rather than enabling external attack vectors. However, the advisory explicitly invites reclassification if this assessment proves incorrect, with a recommendation to convert the tracking issue to a draft security advisory if warranted. Suggested remediation includes rewriting the regex to eliminate lookahead dependencies or implementing a hard size limit on inputs before regex matching. The reviewer also recommends benchmarking against 10KB base64-like strings to confirm bounded execution time. The issue carries a medium severity rating and remains open for resolution.