CWE-186Overly Restrictive Regular Expression

PUBLISHEDweakness record
released 2006-07-19 · last modified 2026-04-30

Metadata

CWE ID:
CWE-186
摘要:
Base
结构:
Simple
状态:
Draft
发布日期:
2006-07-19
更新日期:
2026-04-30

名称

Overly Restrictive Regular Expression

描述

A regular expression is overly restrictive, which prevents dangerous values from being detected.

This weakness is not about regular expression complexity. Rather, it is about a regular expression that does not match all values that are intended. Consider the use of a regexp to identify acceptable values or to spot unwanted terms. An overly restrictive regexp misses some potentially security-relevant values leading to either false positives *or* false negatives, depending on how the regexp is being used within the code. Consider the expression /[0-8]/ where the intention was /[0-9]/. This expression is not "complex" but the value "9" is not matched when maybe the programmer planned to check for it.

常见后果

范围:
Access Control
影响:
Bypass Protection Mechanism

相关 CWE