CWE-185: Incorrect Regular Expression
The product specifies a regular expression in a way that causes data to be improperly matched or compared.
Last updated
Overview
When the regular expression is used in protection mechanisms such as filtering or validation, this may allow an attacker to bypass the intended restrictions on the incoming data.
Real-world CVEs
22 recorded CVEs are caused by CWE-185 (Incorrect Regular Expression). The highest-severity and most recent are shown first. 11 new CWE-185 CVEs have been recorded so far in 2026 (1 in 2025).
- CVE-2024-2223Critical · CVSS 9.8 · EPSS 41th2024-04-09
- CVE-2026-25896
fast-xml-parser has an entity encoding bypass via regex injection in DOCTYPE entity names
Critical · CVSS 9.3 · EPSS 36th2026-02-20 - CVE-2026-27895
LAM has incorrect regular expression in PDF export component that allows user to upload files of any type
High · CVSS 8.8 · EPSS 34th2026-03-17 - CVE-2020-3408High · CVSS 8.6 · EPSS 72th2020-09-24
- CVE-2024-52289
authentik has an insecure default configuration for OAuth2 Redirect URIs
High · CVSS 7.9 · EPSS 61th2024-11-21 - CVE-2026-4296
Incorrect Regular Expression vulnerability in GitHub Enterprise Server allowed unauthorized access to user accounts via OAuth callback URL validation bypass
High · CVSS 7.5 · EPSS 24th2026-04-21 - CVE-2026-33418
@dicebear/converter ensureSize() Vulnerable to SVG Dimension Capping Bypass via XML Comment Injection
High · CVSS 7.5 · EPSS 30th2026-03-24 - CVE-2025-20139High · CVSS 7.5 · EPSS 46th2025-04-02
- CVE-2018-7158High · CVSS 7.5 · EPSS 87th2018-05-17
- CVE-2026-56021
Webmin information disclosure via regex pattern
Medium · CVSS 6.9 · EPSS 20th2026-06-18 - CVE-2026-25542
Tekton Pipelines: VerificationPolicy regex pattern bypass via substring matching
Medium · CVSS 6.5 · EPSS 18th2026-04-21 - CVE-2026-25479
Litestar has an AllowedHosts validation bypass due to unescaped regex metacharacters in configured host patterns
Medium · CVSS 6.5 · EPSS 24th2026-02-09
Showing 12 of 22 recorded CWE-185 CVEs. Track new ones as they are published and get AI-written analysis and fixes.
Monitor CWE-185 vulnerabilitiesCommon consequences
What can happen when CWE-185 is exploited.
Unexpected State, Varies by Context
Affects: Other
When the regular expression is not correctly specified, data might have a different format or type than the rest of the program expects, producing resultant weaknesses or errors.
Bypass Protection Mechanism
Affects: Access Control
In PHP, regular expression checks can sometimes be bypassed with a null byte, leading to any number of weaknesses.
How it happens
When it is introduced
Typically introduced during these phases of the software lifecycle.
How to prevent it
Practical mitigations for CWE-185, grouped by where in the lifecycle they apply.
Regular expressions can become error prone when defining a complex language even for those experienced in writing grammars. Determine if several smaller regular expressions simplify one large regular expression. Also, subject the regular expression to thorough testing techniques such as equivalence partitioning, boundary value analysis, and robustness. After testing and a reasonable confidence level is achieved, a regular expression may not be foolproof. If an exploit is allowed to slip through, then record the exploit and refactor the regular expression.
How to detect it
Automated Static Analysis
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Effectiveness: High
Code examples
Illustrative examples from MITRE showing how the weakness appears in code.
The following code takes phone numbers as input, and uses a regular expression to reject invalid phone numbers.
Vulnerable example
$phone = GetPhoneNumber();An attacker could provide an argument such as: "; ls -l ; echo 123-456" This would pass the check, since "123-456" is sufficient to match the "\d+-\d+" portion of the regular expression.
This code uses a regular expression to validate an IP string prior to using it in a call to the "ping" command.
Vulnerable example
import subprocessSince the regular expression does not have anchors (CWE-777), i.e. is unbounded without ^ or $ characters, then prepending a 0 or 0x to the beginning of the IP address will still result in a matched regex pattern. Since the ping command supports octal and hex prepended IP addresses, it will use the unexpectedly valid IP address (CWE-1389). For example, "0x63.63.63.63" would be considered equivalent to "99.63.63.63". As a result, the attacker could potentially ping systems that the attacker cannot reach directly.
Illustrative examples
Real CVEs that MITRE cites as examples of this weakness.
- CVE-2002-2109 — Regexp isn't "anchored" to the beginning or end, which allows spoofed values that have trusted values as substrings.
- CVE-2005-1949 — Regexp for IP address isn't anchored at the end, allowing appending of shell metacharacters.
- CVE-2001-1072 — Bypass access restrictions via multiple leading slash, which causes a regular expression to fail.
- CVE-2000-0115 — Local user DoS via invalid regular expressions.
- CVE-2002-1527 — chain: Malformed input generates a regular expression error that leads to information exposure.
- CVE-2005-1061 — Certain strings are later used in a regexp, leading to a resultant crash.
- CVE-2005-2169 — MFV. Regular expression intended to protect against directory traversal reduces ".../...//" to "../".
- CVE-2005-0603 — Malformed regexp syntax leads to information exposure in error message.
- CVE-2005-1820 — Code injection due to improper quoting of regular expression.
- CVE-2005-3153 — Null byte bypasses PHP regexp check.
- CVE-2005-4155 — Null byte bypasses PHP regexp check.
Terminology & mappings
Mapped taxonomies
- PLOVER: Regular Expression Error
Attack patterns
CAPEC attack patterns that exploit this weakness.
Frequently asked questions
Common questions about CWE-185.
- What is CWE-185?
- The product specifies a regular expression in a way that causes data to be improperly matched or compared.
- What CVEs are caused by CWE-185?
- 22 recorded CVEs are attributed to CWE-185, including CVE-2024-2223, CVE-2026-25896, CVE-2026-27895.
- How do you prevent CWE-185?
- Regular expressions can become error prone when defining a complex language even for those experienced in writing grammars. Determine if several smaller regular expressions simplify one large regular expression. Also, subject the regular expression to thorough testing techniques such as equivalence partitioning, boundary value analysis, and robustness. After testing and a reasonable confidence level is achieved, a regular expression may not be foolproof. If an exploit is allowed to slip through, then record the exploit and refactor the regular expression.
- How is CWE-185 detected?
- Automated Static Analysis: Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
- What are the consequences of CWE-185?
- Exploiting CWE-185 can lead to: Unexpected State, Varies by Context, Bypass Protection Mechanism.
- Is CWE-185 actively exploited?
- 22 recorded CVEs are caused by CWE-185; none are currently in CISA's KEV catalog of actively exploited flaws.
References
- MITRE CWE definition (CWE-185) (opens in a new tab)
- CWE-185 vulnerabilities on NVD (opens in a new tab)
- Learn: What is a CWE?
Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.
Stay ahead of CWE-185
Get alerted the moment a new CWE-185 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.