Fix ReDoS vulnerability in stack trace parsing (Issue #35490)

[everettbu]

Mirror of facebook/react#35538
Original author: sujay-bhandari

---

Summary

How did you test this change?

[greptile-apps]

Greptile Summary

Fixed a ReDoS (Regular Expression Denial of Service) vulnerability in CHROME_STACK_REGEXP by replacing the inefficient pattern /^\s*at .*(\S+:\d+|\(native\))/m with /^\s*at .*(?:\(|:\d+)/m.

The original regex had catastrophic backtracking due to competing greedy quantifiers (.* followed by \S+), which could cause exponential time complexity when processing malicious input. The new pattern simplifies the logic to detect Chrome/V8 stack traces by checking for either ( or :\d+, which are present in all V8 stack frame formats while avoiding the performance vulnerability. The change maintains full compatibility with the existing stack trace parsing logic.

Confidence Score: 5/5

• This PR is safe to merge with minimal risk - it fixes a critical security vulnerability with a well-scoped regex change
• The change is a focused security fix that eliminates catastrophic backtracking in the regex pattern. The new pattern correctly detects all Chrome/V8 stack formats while avoiding the ReDoS vulnerability. The change is minimal (one line) and maintains backward compatibility
• No files require special attention

Important Files Changed

Filename	Overview
packages/react-devtools-shared/src/backend/utils/parseStackTrace.js	Fixed ReDoS vulnerability by simplifying regex pattern from `/^\sat .(\S+:\d+