CWE-185
Incorrect Regular Expression
Description
The product specifies a regular expression in a way that causes data to be improperly matched or compared.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-15 · CAPEC-6 · CAPEC-79
CVEs mapped to this weakness (29)
page 2 of 2| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-25896 | 0.00 | — | 0.00 | Feb 20, 2026 | fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. From 4.1.3to before 5.3.5, a dot (.) in a DOCTYPE entity name is treated as a regex wildcard during entity replacement, allowing an… | |||
| CVE-2026-25479 | 0.00 | — | 0.00 | Feb 9, 2026 | Litestar is an Asynchronous Server Gateway Interface (ASGI) framework. Prior to 2.20.0, in litestar.middleware.allowed_hosts, allowlist entries are compiled into regex patterns in a way that allows regex metacharacters to retain special meaning (e.g., . matches any character).… | |||
| CVE-2026-24398 | 0.00 | — | 0.00 | Jan 27, 2026 | Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.11.7, IP Restriction Middleware in Hono is vulnerable to an IP address validation bypass. The `IPV4_REGEX` pattern and `convertIPv4ToBinary` function in `src/utils/ipaddr.ts`… | |||
| CVE-2025-54365 | 0.00 | — | 0.01 | Jul 23, 2025 | fastapi-guard is a security library for FastAPI that provides middleware to control IPs, log requests, detect penetration attempts and more. In version 3.0.1, the regular expression patched to mitigate the ReDoS vulnerability by limiting the length of string fails to catch… | |||
| CVE-2020-36649 | 0.00 | — | 0.01 | Jan 11, 2023 | A vulnerability was found in mholt PapaParse up to 5.1.x. It has been classified as problematic. Affected is an unknown function of the file papaparse.js. The manipulation leads to inefficient regular expression complexity. Upgrading to version 5.2.0 is able to address this… | |||
| CVE-2021-27293 | — | 0.00 | — | 0.02 | Jul 12, 2021 | RestSharp < 106.11.8-alpha.0.13 uses a regular expression which is vulnerable to Regular Expression Denial of Service (ReDoS) when converting strings into DateTimes. If a server responds with a malicious string, the client using RestSharp will be stuck processing it for an… | ||
| CVE-2020-2288 | 0.00 | — | 0.01 | Oct 8, 2020 | In Jenkins Audit Trail Plugin 3.6 and earlier, the default regular expression pattern could be bypassed in many cases by adding a suffix to the URL that would be ignored during request handling. | |||
| CVE-2019-14993 | — | 0.00 | — | 0.02 | Aug 13, 2019 | Istio before 1.1.13 and 1.2.x before 1.2.4 mishandles regular expressions for long URIs, leading to a denial of service during use of the JWT, VirtualService, HTTPAPISpecBinding, or QuotaSpecBinding API. | ||
| CVE-2018-20164 | 0.00 | — | 0.03 | Feb 13, 2019 | An issue was discovered in regex.yaml (aka regexes.yaml) in UA-Parser UAP-Core before 0.6.0. A Regular Expression Denial of Service (ReDoS) issue allows remote attackers to overload a server by setting the User-Agent header in an HTTP(S) request to a value containing a long… |
- CVE-2026-25896Feb 20, 2026risk 0.00cvss —epss 0.00
fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. From 4.1.3to before 5.3.5, a dot (.) in a DOCTYPE entity name is treated as a regex wildcard during entity replacement, allowing an…
- CVE-2026-25479Feb 9, 2026risk 0.00cvss —epss 0.00
Litestar is an Asynchronous Server Gateway Interface (ASGI) framework. Prior to 2.20.0, in litestar.middleware.allowed_hosts, allowlist entries are compiled into regex patterns in a way that allows regex metacharacters to retain special meaning (e.g., . matches any character).…
- CVE-2026-24398Jan 27, 2026risk 0.00cvss —epss 0.00
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.11.7, IP Restriction Middleware in Hono is vulnerable to an IP address validation bypass. The `IPV4_REGEX` pattern and `convertIPv4ToBinary` function in `src/utils/ipaddr.ts`…
- CVE-2025-54365Jul 23, 2025risk 0.00cvss —epss 0.01
fastapi-guard is a security library for FastAPI that provides middleware to control IPs, log requests, detect penetration attempts and more. In version 3.0.1, the regular expression patched to mitigate the ReDoS vulnerability by limiting the length of string fails to catch…
- CVE-2020-36649Jan 11, 2023risk 0.00cvss —epss 0.01
A vulnerability was found in mholt PapaParse up to 5.1.x. It has been classified as problematic. Affected is an unknown function of the file papaparse.js. The manipulation leads to inefficient regular expression complexity. Upgrading to version 5.2.0 is able to address this…
- CVE-2021-27293Jul 12, 2021risk 0.00cvss —epss 0.02
RestSharp < 106.11.8-alpha.0.13 uses a regular expression which is vulnerable to Regular Expression Denial of Service (ReDoS) when converting strings into DateTimes. If a server responds with a malicious string, the client using RestSharp will be stuck processing it for an…
- CVE-2020-2288Oct 8, 2020risk 0.00cvss —epss 0.01
In Jenkins Audit Trail Plugin 3.6 and earlier, the default regular expression pattern could be bypassed in many cases by adding a suffix to the URL that would be ignored during request handling.
- CVE-2019-14993Aug 13, 2019risk 0.00cvss —epss 0.02
Istio before 1.1.13 and 1.2.x before 1.2.4 mishandles regular expressions for long URIs, leading to a denial of service during use of the JWT, VirtualService, HTTPAPISpecBinding, or QuotaSpecBinding API.
- CVE-2018-20164Feb 13, 2019risk 0.00cvss —epss 0.03
An issue was discovered in regex.yaml (aka regexes.yaml) in UA-Parser UAP-Core before 0.6.0. A Regular Expression Denial of Service (ReDoS) issue allows remote attackers to overload a server by setting the User-Agent header in an HTTP(S) request to a value containing a long…