CWE-777Regular Expression without Anchors

PUBLISHEDweakness recordMedium
released 2009-07-27 · last modified 2025-12-11

Metadata

CWE ID:
CWE-777
摘要:
Variant
结构:
Simple
状态:
Incomplete
发布日期:
2009-07-27
更新日期:
2025-12-11

名称

Regular Expression without Anchors

描述

The product uses a regular expression to perform neutralization, but the regular expression is not anchored and may allow malicious or malformed data to slip through.

When performing tasks such as validating against a set of allowed inputs (allowlist), data is examined and possibly modified to ensure that it is well-formed and adheres to a list of safe values. If the regular expression is not anchored, malicious or malformed data may be included before or after any string matching the regular expression. The type of malicious data that is allowed will depend on the context of the application and which anchors are omitted from the regular expression.

常见后果

范围:
Availability, Confidentiality, Access Control
影响:
Bypass Protection Mechanism
注释:
An unanchored regular expression in the context of an allowlist will possibly result in a protection mechanism failure, allowing malicious or malformed data to enter trusted regions of the program. The specific consequences will depend on what functionality the allowlist was protecting.

相关 CWE