A format string attack, at its simplest, is this:

char buffer[128];
gets(buffer);
printf(buffer);

There's a buffer overflow vulnerability in there as well, but the point is this: you're passing untrusted data (from the user) to printf (or one of its cousins) that uses that argument as a format string.

That is: if the user types in "%s", you've got an information-disclosure vulnerability, because printf will treat the user input as a format string, and will attempt to print the next thing on the stack as a string. It's as if your code said printf("%s");. Since you didn't pass any other arguments to printf, it'll display something arbitrary.

If the user types in "%n", you've got a potential elevation of privilege attack (at least a denial of service attack), because the %n format string causes printf to write the number of characters printed so far to the next location on the stack. Since you didn't give it a place to put this value, it'll write to somewhere arbitrary.

This is all bad, and is one reason why you should be extremely careful when using printf and cousins.

What you should do is this:

printf("%s", buffer);

This means that the user's input is never treated as a format string, so you're safe from that particular attack vector.

In Visual C++, you can use the __Format_string annotation to tell it to validate the arguments to printf. %n is disallowed by default. In GCC, you can use __attribute__(__printf__) for the same thing.

Answer from Roger Lipscombe on Stack Overflow
🌐
Stack Overflow
stackoverflow.com › questions › 67159498 › fortify-denial-of-service-format-string
java - Fortify -Denial of Service_Format String - Stack Overflow
public String formatMessage(String code, Object... args) { Optional<ErrorDetails> error = errorRepository.findByCode(code); if (error.isPresent()) { String msg = error.get().getMessage(); //msg is for e.g "Message with parameters: %s, %s" return String.format(msg, args); } return ""; } ... This error can only happen when attackers are able to write malicious messages into your error-table, so unless that is in no way possible then this may be a false-positive ... Okay but is there a way to overcome this issue by making in some changes instead of marking it off as false positive.
🌐
OWASP Foundation
owasp.org › www-community › attacks › Format_string_attack
Format string attack | OWASP Foundation
In this case, if a Format String parameter, like %x, is inserted into the posted data, the string is parsed by the Format Function, and the conversion specified in the parameters is executed.
Discussions

Protection from Format String Vulnerability - Stack Overflow
That is: if the user types in "%s", ... as a format string, and will attempt to print the next thing on the stack as a string. It's as if your code said printf("%s");. Since you didn't pass any other arguments to printf, it'll display something arbitrary. If the user types in "%n", you've got a potential elevation of privilege attack (at least a denial of service attack), because ... More on stackoverflow.com
🌐 stackoverflow.com
Format string vulnerability in Java? - Information Security Stack Exchange
In Java, that doesn't work; if you pass a string (or any other reference type) and somebody messes with the format string to ask for a hex number, it'll just cause an exception again. It's worth noting that there is ONE kind of vulnerability possible here: denial of service. More on security.stackexchange.com
🌐 security.stackexchange.com
December 1, 2023
java - Denial of service: regular expression - Stack Overflow
The second line is vulnerable to Denial of Service: regular expression. How to resolve this issue? I tried different ways, but nothing is working out. ... First, I think your security scanning tool is overly critical: This is unlikely to cause an issue. Second, even so constructing a regex at runtime is a bad habit to get into and can almost always be avoided entirely. Especially this specific use seems weird: what are you trying to do here? If you want a string ... More on stackoverflow.com
🌐 stackoverflow.com
asp.net - Fortify Denial of Service: Regular Expression in C# - Stack Overflow
For example it will flag a string like -a/:/dd as a valid URL when it's not. You can check UrlAttribute source code line 46 for an example of a regular expression that matches URLs or google URL regular expression. But make sure that the regular expression you are using doesn't take exponential time to execute which can cause denial of service ... More on stackoverflow.com
🌐 stackoverflow.com
🌐
Whitelist1
whitelist1.com › 2016 › 11 › xformat-string-attacks-disclosure-of_2.html
Whitelist: FORMAT STRING ATTACKS - Disclosure of information and DoS
November 2, 2016 - - In this late case the attack would result into a denial-of-service attack (DoS), since the program fails without performing the purpose for it was written. - Another interesting converter for conducting String Format attacks is converter % x, which reads the stack in hexadecimal values.
Top answer
1 of 2
4

A format string attack, at its simplest, is this:

char buffer[128];
gets(buffer);
printf(buffer);

There's a buffer overflow vulnerability in there as well, but the point is this: you're passing untrusted data (from the user) to printf (or one of its cousins) that uses that argument as a format string.

That is: if the user types in "%s", you've got an information-disclosure vulnerability, because printf will treat the user input as a format string, and will attempt to print the next thing on the stack as a string. It's as if your code said printf("%s");. Since you didn't pass any other arguments to printf, it'll display something arbitrary.

If the user types in "%n", you've got a potential elevation of privilege attack (at least a denial of service attack), because the %n format string causes printf to write the number of characters printed so far to the next location on the stack. Since you didn't give it a place to put this value, it'll write to somewhere arbitrary.

This is all bad, and is one reason why you should be extremely careful when using printf and cousins.

What you should do is this:

printf("%s", buffer);

This means that the user's input is never treated as a format string, so you're safe from that particular attack vector.

In Visual C++, you can use the __Format_string annotation to tell it to validate the arguments to printf. %n is disallowed by default. In GCC, you can use __attribute__(__printf__) for the same thing.

2 of 2
2

In this pseudo code the user enters some characters to be printed, like "hello"

string s=getUserInput();
write(s)

That works as intended. But since the write can format strings, for example

int i=getUnits();
write("%02d units",i);

outputs: "03 units". What about if the user in the first place wrote "%02d"... since there is no parameters on the stack, something else will be fetched. What that is, and if that is a problem or not depends on the program.

An easy fix is to tell the program to output a string:

write("%s",s);

or use another method that don't try to format the string:

output(s);

a link to wikipedia with more info.

🌐
GitLab
advisories.gitlab.com › npm › @angular › common › CVE-2026-54268
@angular/common: Denial of Service (DoS) via OOM in Date Formatting (formatDate) | GitLab Advisory Database (GLAD)
1 month ago - A Denial of Service (DoS) vulnerability exists in the @angular/common package of the Angular framework. The formatDate function, which is also utilized by the standard Angular DatePipe, does not properly limit or validate the length of the format parameter. When parsing a maliciously crafted, ...
🌐
Americanpolymers
dev.americanpolymers.mx › honesty-in › denial-of-service-format-string
denial of service format string
The file starts with a header containing a magic number (as a readable string) and the version of the format, for example %PDF-1.7. This was fixed in revision 1578341. The Format String is the argument of the Format Function and is an ASCII Z string which contains text and format parameters, like: ...
🌐
Infosec Institute
resources.infosecinstitute.com › topic › format-string-bug-exploration
Format String Bug Exploration | Infosec
May 19, 2015 - In case of supplying a malicious format string containing either of these format specifiers, and no valid memory address exists, where the corresponding variable should be, then the process will succumb to attempting to dereference the stack, which causes a denial of service.
Find elsewhere
🌐
Security Boulevard
securityboulevard.com › home › security bloggers network › how to exploit format string vulnerabilities
How to exploit Format String Vulnerabilities - Security Boulevard
September 30, 2020 - As mentioned in the previous article, following are some of the attacks possible using Format String vulnerabilities. Leaking secrets · Denial of Service · Leaking memory addresses · Overwriting memory addresses · In this article, let us discuss the first two items.
Top answer
1 of 2
3

There are two high-threat things you can do with format string vulnerabilities in C - leak data and overwrite memory - and neither are relevant in Java. Java's string formatter doesn't even have the "conversion" that is used for overwriting memory, as you noticed. However, Java also is generally safe against such attacks because Java - unlike C - actually checks the number of variadic parameters expected against the number present. If you request a parameter that isn't present - either by index or just by having too many conversions - the formatter will throw an exception. So, there's no way to run off the end of the parameter list and start reading other information from the stack (which is generally not intended to be user-viewable, and may reveal secrets ranging from ASLR masks to cryptographic keys, which could be useful if an attacker can control the format string and invoke the function multiple times).

Interestingly, Java doesn't object if you pass too many variadic parameters - only too few - so you can potentially reveal things that are not normally revealed if the function call is written with excess parameters that aren't usually used. However, that's a pretty unlikely kind of bug, and even then, you could only reveal what those parameters are.

Java's conversions are also type-safe. For example, in C, you can expose pointer values (very valuable when trying to write memory exploits, especially since this can also reveal things like ASLR masks) by asking a format string function to render a pointer (such as to a string) as a numeric type. In Java, that doesn't work; if you pass a string (or any other reference type) and somebody messes with the format string to ask for a hex number, it'll just cause an exception again.

It's worth noting that there is ONE kind of vulnerability possible here: denial of service. An attacker who controls the format string can easily cause the app to throw an exception, for example by supplying the illegal format conversion %0$d (which requests the "zeroeth" parameter as an integer type, when such indices must start at 1). This exception, if uncaught, will cause a crash (even if caught, it may prevent the app from completing its operation correctly). However, as far as I can tell, such denial-of-service risk is the only realistic threat from user-controlled format strings in Java.

2 of 2
2

There are multiple potential vulnerabilities with this:

  • Log injection / log forging
    Depending on how you use the formatted message afterwards, it might be possible to perform log injection, for example to deceive the person reading the log files. However, this is also possible to some extent when the user input is only used as formatting argument.
  • Leaking arguments
    If additional arguments are provided to the format call which are not or only partially included in the formatted message by default, then a user-provided format string could expose these unused arguments.
    While some advisories mention this vulnerability, personally I think this is rather unlikely because the arguments to be leaked already have to part of the formatting call, e.g. String.format(userFormatStr, arg1, secretArg).
  • Denial of service: Runtime exception
    A user-controlled malformed format string could cause runtime exceptions such as a IllegalFormatException. Depending on how your application handles this, it might allow performing a denial of service attack.
  • Denial of service: Memory consumption
    The width of a format specifier can be misused to allocate large amounts of memory. This also works for the specifier %% (e.g. %10000%), so this can be performed regardless of which format arguments are provided.

More information:

  • Fortify: Denial of Service: Format String
  • SEI CERT Oracle Coding Standard for Java: IDS06-J. Exclude unsanitized user input from format strings
  • Tweet by Wouter Coekaerts about width denial of service
🌐
Stack Exchange
security.stackexchange.com › q › 123811
web application - Remote Help HTTP GET Request Format String Denial Of Service Vulnerability - Information Security Stack Exchange
Is there any solution for "HTTP GET Request Format String Denial Of Service Vulnerability" in the Remote Help software? I have referred many places but I could not find a solution. Please refer the
🌐
OWASP Foundation
owasp.org › www-community › attacks › Regular_expression_Denial_of_Service_-_ReDoS
Regular expression Denial of Service - ReDoS | OWASP Foundation
String userName = textBox1.Text; String password = textBox2.Text; Regex testPassword = new Regex(userName); Match match = testPassword.Match(password); if (match.Success) { MessageBox.Show("Do not include name in password."); } else { MessageBox.Show("Good password."); } If an attacker enters ^(([a-z])+.)+[A-Z]([a-z])+$ as a username and aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa! as a password, the program will hang. Regular Expression Denial Of Service / Crosby&Wallach, Usenix Security 2003
🌐
Microsoft Learn
learn.microsoft.com › en-us › archive › msdn-magazine › 2010 › may › security-briefs-regular-expression-denial-of-service-attacks-and-defenses
Security Briefs - Regular Expression Denial of Service Attacks and Defenses | Microsoft Learn
At the Open Web Application Security Project (OWASP) Israel Conference 2009, Checkmarx Chief Architect Alex Roichman and Senior Programmer Adar Weidman presented some excellent research on the topic of regular expression DoS, or “ReDoS.” Their research revealed that a poorly written regular expression can be exploited so that a relatively short attack string (fewer than 50 characters) can take hours or more to evaluate.
🌐
OWASP Foundation
owasp.org › www-community › attacks › Denial_of_Service
Denial of Service | OWASP Foundation
While the most serious risk related to a buffer overflow is the ability to execute arbitrary code on the server, the first risk comes from the denial of service that can happen if the application crashes. The following is a simplified example of vulnerable code in C: void overflow (char *str) { char buffer[10]; strcpy(buffer, str); // Dangerous! } int main () { char *str = "This is a string that is larger than the buffer of 10"; overflow(str); }
🌐
Infosec Institute
resources.infosecinstitute.com › topic › how-to-exploit-format-string-vulnerabilities
How to exploit format string vulnerabilities - Infosec Resources
September 21, 2020 - As mentioned in the previous article, the following are some of the attacks possible using format string vulnerabilities. Leaking secrets · Denial of Service · Leaking memory addresses · Overwriting memory addresses · In this article, let us discuss the first two items.
🌐
Snyk Learn
learn.snyk.io › home › security education › redos | tutorial & examples
ReDoS | Tutorial & Examples | Snyk Learn
February 23, 2026 - One possible way is through what is known as Regular Expression Denial of Service (ReDoS). A ReDoS attack attempts to slow down or even render an application unavailable. It is attacked the A as in Availability in the famous CIA triad of cybersecurity. Attackers do this by providing an application with a malicious string to be processed by its regex engine against a vulnerable (or "evil") regex pattern.
🌐
Stack Overflow
stackoverflow.com › questions › 68361056 › fortify-denial-of-service-regular-expression-in-c-sharp
asp.net - Fortify Denial of Service: Regular Expression in C# - Stack Overflow
//web config <add key="RegexPatternx" value="^[ a-zA-Z0-9\-\./:]+$"/> //Code var regexPattern = ConfigurationManager.AppSettings["RegexPatternx"]; string referrerHost = "localhost.test:80/"; // Set the regex pattern to validate the target and referrerHost var regexItem = new Regex(regexPattern, RegexOptions.Compiled | RegexOptions.IgnoreCase);// Fortify issue line Denial of Service: Regular Expression var targetHost = target.Replace("http://", "").Replace("https://", ""); string[] urlParameters = { targetHost, referrerHost }; foreach (var urlPart in urlParameters) { if (urlPart != null) { var isRegexMatch = regexItem.IsMatch(urlPart); if (!isRegexMatch) { _log.LogInfo(loggingContext, "Cannot redirect as the target site URL is Invalid."); RedirectToErrorPage(); return; } } }
🌐
Snyk
snyk.io › blog › redos-and-catastrophic-backtracking
Regular Expression Denial of Service (ReDoS) and Catastrophic Backtracking | Snyk
January 17, 2017 - If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as catastrophic backtracking.Let’s look at how our expression runs into this problem, using a shorter string: “ACCCX”. While it seems fairly straightforward, there are still four different ways that the engine could match those three C’s:
🌐
GitHub
github.com › dynamicexpresso › DynamicExpresso › discussions › 302
Potential Vulnerability: Regular expression Denial of Service - ReDoS · dynamicexpresso/DynamicExpresso · Discussion #302
I came across a potential denial of service vulnerability, if a malicious expression is used the regular expression could run indefinite and may result in denial of service error. internal class Detector { private readonly ParserSettings _settings; private static readonly Regex IdentifiersDetectionRegex = new Regex(@"(?<id>@?[\p{L}\p{Nl}_][\p{L}\p{Nl}\p{Nd}\p{Mn}\p{Mc}\p{Pc}\p{Cf}_]*)", RegexOptions.Compiled); private static readonly string Id = IdentifiersDetectionRegex.ToString(); private static readonly string Type = Id.Replace("<id>", "<type>"); private static readonly Regex LambdaDetectio
Author   dynamicexpresso