Description
The product uses a regular expression that does not sufficiently restrict the set of allowed values.
This effectively causes the regexp to accept substrings that match the pattern, which produces a partial comparison to the target. In some cases, this can lead to other weaknesses. Common errors include:
Potential Impact
Access Control
Bypass Protection Mechanism
Demonstrative Examples
$phone = GetPhoneNumber();if ($phone =~ /\d+-\d+/) {
# looks like it only has hyphens and digits
system("lookup-phone $phone");}
else {error("malformed number!");}import subprocess
import re
def validate_ip_regex(ip: str):
ip_validator = re.compile(r"((25[0-5]|(2[0-4]|1\d|[1-9]|)\d)\.?\b){4}")
if ip_validator.match(ip):
return ip
else:
raise ValueError("IP address does not match valid pattern.")
def run_ping_regex(ip: str):
validated = validate_ip_regex(ip)
# The ping command treats zero-prepended IP addresses as octal
result = subprocess.call(["ping", validated])
print(result)Mitigations & Prevention
When applicable, ensure that the regular expression marks beginning and ending string patterns, such as "/^string$/" for Perl.
Detection Methods
- Automated Static Analysis High — Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then sea
Real-World CVE Examples
| CVE ID | Description |
|---|---|
| CVE-2021-22204 | Chain: regex in EXIF processor code does not correctly determine where a string ends (CWE-625), enabling eval injection (CWE-95), as exploited in the wild per CISA KEV. |
| CVE-2006-1895 | ".*" regexp leads to static code injection |
| CVE-2002-2175 | insertion of username into regexp results in partial comparison, causing wrong database entry to be updated when one username is a substring of another. |
| CVE-2006-4527 | regexp intended to verify that all characters are legal, only checks that at least one is legal, enabling file inclusion. |
| CVE-2005-1949 | Regexp for IP address isn't anchored at the end, allowing appending of shell metacharacters. |
| CVE-2002-2109 | Regexp isn't "anchored" to the beginning or end, which allows spoofed values that have trusted values as substrings. |
| CVE-2006-6511 | regexp in .htaccess file allows access of files whose names contain certain substrings |
| CVE-2006-6629 | allow load of macro files whose names contain certain substrings. |
Related Weaknesses
Taxonomy Mappings
- The CERT Oracle Secure Coding Standard for Java (2011): IDS08-J — Sanitize untrusted data passed to a regex
Frequently Asked Questions
What is CWE-625?
CWE-625 (Permissive Regular Expression) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Base-level weakness. The product uses a regular expression that does not sufficiently restrict the set of allowed values.
How can CWE-625 be exploited?
Attackers can exploit CWE-625 (Permissive Regular Expression) to bypass protection mechanism. This weakness is typically introduced during the Implementation phase of software development.
How do I prevent CWE-625?
Key mitigations include: When applicable, ensure that the regular expression marks beginning and ending string patterns, such as "/^string$/" for Perl.
What is the severity of CWE-625?
CWE-625 is classified as a Base-level weakness (Medium abstraction). It has been observed in 8 real-world CVEs.