Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-625 (宽松定义的正则表达式) — Vulnerability Class 7

7 vulnerabilities classified as CWE-625 (宽松定义的正则表达式). AI Chinese analysis included.

CWE-625 represents a critical input validation weakness where regular expressions fail to adequately restrict the set of allowed values. This flaw typically arises when developers omit anchors, such as start and end markers, causing the pattern to match substrings rather than the entire target string. Attackers exploit this by injecting malicious payloads that partially satisfy the permissive pattern, potentially bypassing security controls or triggering downstream vulnerabilities like injection attacks. To mitigate this risk, developers must rigorously define regex boundaries using explicit start and end anchors. Additionally, implementing strict input validation libraries and conducting thorough code reviews ensures that patterns evaluate complete strings rather than accepting dangerous partial matches, thereby closing the gap between intended and actual validation logic.

MITRE CWE Description
The product uses a regular expression that does not sufficiently restrict the set of allowed values. This effectively causes the regexp to accept substrings that match the pattern, which produces a partial comparison to the target. In some cases, this can lead to other weaknesses. Common errors include: not identifying the beginning and end of the target string using wildcards instead of acceptable character ranges others
Common Consequences (1)
Access ControlBypass Protection Mechanism
Mitigations (1)
ImplementationWhen applicable, ensure that the regular expression marks beginning and ending string patterns, such as "/^string$/" for Perl.
Examples (2)
The following code takes phone numbers as input, and uses a regular expression to reject invalid phone numbers.
$phone = GetPhoneNumber(); if ($phone =~ /\d+-\d+/) { # looks like it only has hyphens and digits system("lookup-phone $phone"); } else { error("malformed number!"); }
Bad · Perl
This code uses a regular expression to validate an IP string prior to using it in a call to the "ping" command.
import subprocess import re def validate_ip_regex(ip: str): ip_validator = re.compile(r"((25[0-5]|(2[0-4]|1\d|[1-9]|)\d)\.?\b){4}") if ip_validator.match(ip): return ip else: raise ValueError("IP address does not match valid pattern.") def run_ping_regex(ip: str): validated = validate_ip_regex(ip) # The ping command treats zero-prepended IP addresses as octal result = subprocess.call(["ping", validated]) print(result)
Bad · Python
CVE IDTitleCVSSSeverityPublished
CVE-2026-34830 Rack: Rack::Sendfile regex injection via HTTP_X_ACCEL_MAPPING header allows arbitrary file reads through nginx — rack 5.9 Medium2026-04-02
CVE-2026-34763 Rack: Rack::Directory info disclosure and DoS via unescaped regex interpolation — rack 5.3 Medium2026-04-02
CVE-2026-32973 OpenClaw < 2026.3.11 - Exec Allowlist Pattern Overmatch via POSIX Path Normalization — OpenClaw 9.8 Critical2026-03-29
CVE-2026-23651 Microsoft ACI Confidential Containers Elevation of Privilege Vulnerability — Microsoft ACI Confidential Containers 6.7 Medium2026-03-05
CVE-2023-6544 Keycloak: authorization bypass 5.4 Medium2024-04-25
CVE-2020-8910 Auth Bypass in Google's Closure-Library — Closure-Library 6.5 Medium2020-03-26
CVE-2018-8926 Synology Photo Station 安全漏洞 — Photo Station 8.8 -2018-06-08

Vulnerabilities classified as CWE-625 (宽松定义的正则表达式) represent 7 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.