diff --git a/src/controllers/auth.controller.js b/src/controllers/auth.controller.js
index 04e216b0..6872f2d1 100644
--- a/src/controllers/auth.controller.js
+++ b/src/controllers/auth.controller.js
@@ -328,9 +328,9 @@ export const checkEmail = asyncHandler(async (req, res, next) => {
     return next(new AppError('Email requis', 400));
   }
 
-  // Validation format email
-  const emailRegex = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
-  if (!emailRegex.test(email)) {
+  // Validation format email (regex sécurisée contre ReDoS avec limite de longueur)
+  const isValidEmail = email.length <= 254 && /^[a-zA-Z0-9.!#$%&'*+/=?^_`{|}~-]+@[a-zA-Z0-9]([a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?(\.[a-zA-Z0-9]([a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?)*$/.test(email);
+  if (!isValidEmail) {
     return res.json({
       success: true,
       isValid: false,