Base weakness
Draft
CWE-625: Permissive Regular Expression
The product uses a regular expression that does not sufficiently restrict the set of allowed values.
Last updated
7
Recorded CVEs
With this primary weakness
0
KEVs
In the CISA KEV catalog
Not rated
Likelihood of exploit
Per MITRE
Base
Abstraction
MITRE classification
Overview
This effectively causes the regexp to accept substrings that match the pattern, which produces a partial comparison to the target. In some cases, this can lead to other weaknesses. Common errors include: not identifying the beginning and end of the target string using wildcards instead of acceptable character ranges others
Real-world CVEs
7 recorded CVEs are caused by CWE-625 (Permissive Regular Expression). The highest-severity and most recent are shown first. 4 new CWE-625 CVEs have been recorded so far in 2026.