Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-186 (过度严格的正则表达式) — Vulnerability Class 1

1 vulnerabilities classified as CWE-186 (过度严格的正则表达式). AI Chinese analysis included.

CWE-186 represents a validation weakness where a regular expression is excessively restrictive, failing to match all intended input patterns. This flaw typically arises when developers craft patterns that inadvertently exclude valid data or, more critically, fail to detect malicious payloads that fall outside the narrow defined scope. Attackers exploit this by crafting inputs that bypass the flawed validation logic, allowing dangerous characters or structures to enter the system undetected. To mitigate this risk, developers must rigorously test regex patterns against comprehensive input datasets, including edge cases and known attack vectors. Utilizing established, well-vetted libraries for common validation tasks rather than writing custom expressions from scratch significantly reduces the likelihood of oversight. Additionally, employing defense-in-depth strategies ensures that even if validation fails, subsequent processing layers can still prevent security breaches.

MITRE CWE Description
A regular expression is overly restrictive, which prevents dangerous values from being detected. This weakness is not about regular expression complexity. Rather, it is about a regular expression that does not match all values that are intended. Consider the use of a regexp to identify acceptable values or to spot unwanted terms. An overly restrictive regexp misses some potentially security-relevant values leading to either false positives *or* false negatives, depending on how the regexp is being used within the code. Consider the expression /[0-8]/ where the intention was /[0-9]/. This expression is not "complex" but the value "9" is not matched when maybe the programmer planned to check for it.
Common Consequences (1)
Access ControlBypass Protection Mechanism
Mitigations (1)
ImplementationRegular expressions can become error prone when defining a complex language even for those experienced in writing grammars. Determine if several smaller regular expressions simplify one large regular expression. Also, subject your regular expression to thorough testing techniques such as equivalence partitioning, boundary value analysis, and robustness. After testing and a reasonable confidence le…
CVE IDTitleCVSSSeverityPublished
CVE-2025-46821 Envoy vulnerable to bypass of RBAC uri_template permission — envoy 5.3 Medium2025-05-07

Vulnerabilities classified as CWE-186 (过度严格的正则表达式) represent 1 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.