目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1000

100.0%
请我们喝杯咖啡

CWE-625 宽松定义的正则表达式 类漏洞列表 7

CWE-625 宽松定义的正则表达式 类弱点 7 条 CVE 漏洞汇总,含 AI 中文分析。

CWE-625属于正则表达式漏洞,指正则表达式未充分限制允许的值集合。攻击者通常利用此缺陷,通过构造包含匹配子串的恶意输入,绕过部分字符串比较逻辑,从而触发其他安全弱点。开发者应避免仅使用通配符进行模糊匹配,需明确使用锚点界定字符串起止,确保正则表达式精确匹配目标内容,防止非法输入被错误接受。

MITRE CWE 官方描述
CWE:CWE-625 Permissive Regular Expression(宽松的正则表达式) 英文:The product uses a regular expression that does not sufficiently restrict the set of allowed values. This effectively causes the regexp to accept substrings that match the pattern, which produces a partial comparison to the target. In some cases, this can lead to other weaknesses. Common errors include: not identifying the beginning and end of the target string using wildcards instead of acceptable character ranges others 译文:该产品使用了未能充分限制允许值集合的正则表达式。 这实际上导致正则表达式(regexp)接受与模式匹配的子字符串,从而产生对目标的局部比较。在某些情况下,这可能导致其他弱点。常见错误包括:未使用通配符(wildcards)而非可接受的字符范围来标识目标字符串的开头和结尾。
常见影响 (1)
Access ControlBypass Protection Mechanism
缓解措施 (1)
ImplementationWhen applicable, ensure that the regular expression marks beginning and ending string patterns, such as "/^string$/" for Perl.
代码示例 (2)
The following code takes phone numbers as input, and uses a regular expression to reject invalid phone numbers.
$phone = GetPhoneNumber(); if ($phone =~ /\d+-\d+/) { # looks like it only has hyphens and digits system("lookup-phone $phone"); } else { error("malformed number!"); }
Bad · Perl
This code uses a regular expression to validate an IP string prior to using it in a call to the "ping" command.
import subprocess import re def validate_ip_regex(ip: str): ip_validator = re.compile(r"((25[0-5]|(2[0-4]|1\d|[1-9]|)\d)\.?\b){4}") if ip_validator.match(ip): return ip else: raise ValueError("IP address does not match valid pattern.") def run_ping_regex(ip: str): validated = validate_ip_regex(ip) # The ping command treats zero-prepended IP addresses as octal result = subprocess.call(["ping", validated]) print(result)
Bad · Python
CVE ID标题CVSS风险等级Published
CVE-2026-34830 Rack 安全漏洞 — rack 5.9 Medium2026-04-02
CVE-2026-34763 Rack 安全漏洞 — rack 5.3 Medium2026-04-02
CVE-2026-32973 OpenClaw 安全漏洞 — OpenClaw 9.8 Critical2026-03-29
CVE-2026-23651 Microsoft Azure Compute Gallery 安全漏洞 — Microsoft ACI Confidential Containers 6.7 Medium2026-03-05
CVE-2023-6544 Red Hat Keycloak 安全漏洞 5.4 Medium2024-04-25
CVE-2020-8910 Google Closure Library 输入验证错误漏洞 — Closure-Library 6.5 Medium2020-03-26
CVE-2018-8926 Synology Photo Station 安全漏洞 — Photo Station 8.8 -2018-06-08

CWE-625(宽松定义的正则表达式) 是常见的弱点类别,本平台收录该类弱点关联的 7 条 CVE 漏洞。