CWE-625: Permissive Regular Expression
The product uses a regular expression that does not sufficiently restrict the set of allowed values.
Last updated
Overview
This effectively causes the regexp to accept substrings that match the pattern, which produces a partial comparison to the target. In some cases, this can lead to other weaknesses. Common errors include: not identifying the beginning and end of the target string using wildcards instead of acceptable character ranges others
Real-world CVEs
8 recorded CVEs are caused by CWE-625 (Permissive Regular Expression). The highest-severity and most recent are shown first. 5 new CWE-625 CVEs have been recorded so far in 2026.
- CVE-2026-32973
OpenClaw < 2026.3.11 - Exec Allowlist Pattern Overmatch via POSIX Path Normalization
High · CVSS 8.8 · EPSS 33th2026-03-29 - CVE-2018-8926High · CVSS 8.8 · EPSS 75th2018-06-08
- CVE-2026-34830
Rack: Rack::Sendfile regex injection via HTTP_X_ACCEL_MAPPING header allows arbitrary file reads through nginx
High · CVSS 7.5 · EPSS 11th2026-04-02