1. Home
  2. CWE Database
  3. CWE-624
Base · Medium

CWE-624: Executable Regular Expression Error

The product uses a regular expression that either (1) contains an executable component with user-controlled inputs, or (2) allows a user to enable execution by inserting pattern modifiers.

CWE-624 · Base Level ·4 CVEs ·1 Mitigations

Description

The product uses a regular expression that either (1) contains an executable component with user-controlled inputs, or (2) allows a user to enable execution by inserting pattern modifiers.

Case (2) is possible in the PHP preg_replace() function, and possibly in other languages when a user-controlled input is inserted into a string that is later parsed as a regular expression.

Potential Impact

Confidentiality, Integrity, Availability

Execute Unauthorized Code or Commands

Mitigations & Prevention

Implementation

The regular expression feature in some languages allows inputs to be quoted or escaped before insertion, such as \Q and \E in Perl.

Detection Methods

  • Automated Static Analysis — Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then sea

Real-World CVE Examples

CVE IDDescription
CVE-2006-2059Executable regexp in PHP by inserting "e" modifier into first argument to preg_replace
CVE-2005-3420Executable regexp in PHP by inserting "e" modifier into first argument to preg_replace
CVE-2006-2878Complex curly syntax inserted into the replacement argument to PHP preg_replace(), which uses the "/e" modifier
CVE-2006-2908Function allows remote attackers to execute arbitrary PHP code via the username field, which is used in a preg_replace function call with a /e (executable) modifier.

CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of a command using externally-influenced input from an upstream component, but it doe...

Taxonomy Mappings

  • Software Fault Patterns: SFP24 — Tainted input to command

Frequently Asked Questions

What is CWE-624?

CWE-624 (Executable Regular Expression Error) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Base-level weakness. The product uses a regular expression that either (1) contains an executable component with user-controlled inputs, or (2) allows a user to enable execution by inserting pattern modifiers.

How can CWE-624 be exploited?

Attackers can exploit CWE-624 (Executable Regular Expression Error) to execute unauthorized code or commands. This weakness is typically introduced during the Implementation phase of software development.

How do I prevent CWE-624?

Key mitigations include: The regular expression feature in some languages allows inputs to be quoted or escaped before insertion, such as \Q and \E in Perl.

What is the severity of CWE-624?

CWE-624 is classified as a Base-level weakness (Medium abstraction). It has been observed in 4 real-world CVEs.