VYPR

CWE-185

Incorrect Regular Expression

ClassDraft

Description

The product specifies a regular expression in a way that causes data to be improperly matched or compared.

When the regular expression is used in protection mechanisms such as filtering or validation, this may allow an attacker to bypass the intended restrictions on the incoming data.

Hierarchy (View 1000)

Parents

Related attack patterns (CAPEC)

CAPEC-15 · CAPEC-6 · CAPEC-79

CVEs mapped to this weakness (29)

page 1 of 2
  • CVE-2015-8389CriDec 2, 2015
    risk 0.64cvss 9.8epss 0.04

    PCRE before 8.38 mishandles the /(?:|a|){100}x/ pattern and related patterns, which allows remote attackers to cause a denial of service (infinite recursion) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object…

  • CVE-2026-4296HigApr 21, 2026
    risk 0.57cvss 8.8epss 0.00

    An incorrect regular expression vulnerability was identified in GitHub Enterprise Server that allowed an attacker to bypass OAuth redirect URI validation. An attacker with knowledge of a first-party OAuth application's registered callback URL could craft a malicious…

  • CVE-2018-17984HigOct 4, 2018
    risk 0.51cvss 7.8epss 0.03

    An unanchored /[a-z]{2}/ regular expression in ISPConfig before 3.1.13 makes it possible to include arbitrary files, leading to code execution. This is exploitable by authenticated users who have local filesystem access.

  • CVE-2018-11615HigAug 30, 2018
    risk 0.49cvss 7.5epss 0.03

    This vulnerability allows remote attackers to deny service on vulnerable installations of npm mosca 2.8.1. Authentication is not required to exploit this vulnerability. The specific flaw exists within the processing of topics. A crafted regular expression can cause the broker to…

  • CVE-2018-7158HigMay 17, 2018
    risk 0.49cvss 7.5epss 0.03

    The `'path'` module in the Node.js 4.x release line contains a potential regular expression denial of service (ReDoS) vector. The code in question was replaced in Node.js 6.x and later so this vulnerability only impacts all versions of Node.js 4.x. The regular expression,…

  • CVE-2024-36751MedJan 15, 2025
    risk 0.42cvss 6.5epss 0.01

    An issue in parse-uri v1.0.9 allows attackers to cause a Regular expression Denial of Service (ReDoS) via a crafted URL.

  • CVE-2018-13863HigJul 10, 2018
    risk 0.42cvss 7.5epss 0.02

    The MongoDB bson JavaScript module (also known as js-bson) versions 0.5.0 to 1.0.x before 1.0.5 is vulnerable to a Regular Expression Denial of Service (ReDoS) in lib/bson/decimal128.js. The flaw is triggered when the Decimal128.fromString() function is called to parse a long…

  • CVE-2018-3737HigJun 7, 2018
    risk 0.42cvss 7.5epss 0.02

    sshpk is vulnerable to ReDoS when parsing crafted invalid public keys.

  • CVE-2018-3738MedJun 7, 2018
    risk 0.36cvss 5.5epss 0.01

    protobufjs is vulnerable to ReDoS when parsing crafted invalid .proto files.

  • CVE-2026-48147MedMay 27, 2026
    risk 0.35cvss 6.5epss 0.00

    Budibase is an open-source low-code platform. Prior to 3.35.4, the buildMatcherRegex() / matches() functions in packages/backend-core/src/middleware/matchers.ts route patterns are compiled into unanchored regular expressions and tested against ctx.request.url, which includes the…

  • CVE-2026-25542MedApr 21, 2026
    risk 0.35cvss 6.5epss 0.00

    Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. Starting in version 0.43.0 and prior to versions 1.0.2, 1.3.4, 1.6.2, 1.9.3, and 1.11.1, trusted resources verification policies match a resource source string (refSource.URI) against…

  • CVE-2026-33347MedMar 24, 2026
    risk 0.33cvss 6.1epss 0.00

    league/commonmark is a PHP Markdown parser. From version 2.3.0 to before version 2.8.2, the DomainFilteringAdapter in the Embed extension is vulnerable to an allowlist bypass due to a missing hostname boundary assertion in the domain-matching regex. An attacker-controlled domain…

  • CVE-2012-3446MedNov 4, 2012
    risk 0.31cvss 5.9epss 0.01

    Apache Libcloud before 0.11.1 uses an incorrect regular expression during verification of whether the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL…

  • CVE-2026-39350MedApr 15, 2026
    risk 0.28cvss 5.4epss 0.00

    Istio is an open platform to connect, manage, and secure microservices. In versions 1.25.0 through 1.27.8, 1.28.0 through 1.28.5, 1.29.0, and 1.29.1, the serviceAccounts and notServiceAccounts fields in AuthorizationPolicy incorrectly interpret dots (.) as a regular expression…

  • CVE-2018-7537MedMar 9, 2018
    risk 0.28cvss 5.3epss 0.05

    An issue was discovered in Django 2.0 before 2.0.3, 1.11 before 1.11.11, and 1.8 before 1.8.19. If django.utils.text.Truncator's chars() and words() methods were passed the html=True argument, they were extremely slow to evaluate certain inputs due to a catastrophic backtracking…

  • CVE-2018-7536MedMar 9, 2018
    risk 0.28cvss 5.3epss 0.05

    An issue was discovered in Django 2.0 before 2.0.3, 1.11 before 1.11.11, and 1.8 before 1.8.19. The django.utils.html.urlize() function was extremely slow to evaluate certain inputs due to catastrophic backtracking vulnerabilities in two regular expressions (only one regular…

  • CVE-2026-47674MedMay 28, 2026
    risk 0.27cvss 5.3epss 0.00

    Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.21, the ip-restriction middleware (hono/ip-restriction) compares incoming IP addresses against configured deny and allow rules using string equality after partial normalization.…

  • CVE-2015-8388Dec 2, 2015
    risk 0.01cvss epss 0.07

    PCRE before 8.38 mishandles the /(?=di(?<=(?1))|(?=(.))))/ pattern and related patterns with an unmatched closing parenthesis, which allows remote attackers to cause a denial of service (buffer overflow) or possibly have unspecified other impact via a crafted regular expression,…

  • CVE-2026-33418Mar 24, 2026
    risk 0.00cvss epss 0.00

    DiceBear is an avatar library for designers and developers. Prior to version 9.4.2, the `ensureSize()` function in `@dicebear/converter` used a regex-based approach to rewrite SVG `width`/`height` attributes, capping them at 2048px to prevent denial of service. This size capping…

  • CVE-2026-3419Mar 6, 2026
    risk 0.00cvss epss 0.00

    Fastify incorrectly accepts malformed `Content-Type` headers containing trailing characters after the subtype token, in violation of RFC 9110 §8.3.1(https://httpwg.org/specs/rfc9110.html#field.content-type). For example, a request sent with Content-Type: application/json…