CWE-777: Regular Expression without Anchors

VariantIncompleteExploit Likelihood: Medium

The product uses a regular expression to perform neutralization, but the regular expression is not anchored and may allow malicious or malformed data to slip through.

View on MITRE
Back to CWE Lookup

Extended Description

When performing tasks such as validating against a set of allowed inputs (allowlist), data is examined and possibly modified to ensure that it is well-formed and adheres to a list of safe values. If the regular expression is not anchored, malicious or malformed data may be included before or after any string matching the regular expression. The type of malicious data that is allowed will depend on the context of the application and which anchors are omitted from the regular expression.

Technical Details

Structure
Simple

Applicable To

Languages
Platforms

Frequently Asked Questions

What is CWE-777: Regular Expression without Anchors?+

CWE-777: Regular Expression without Anchors is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The product uses a regular expression to perform neutralization, but the regular expression is not anchored and may allow malicious or malformed data to slip through. When performing tasks such as validating against a set of allowed inputs (allowlist), data is examined and possibly modified to ensure that it is well-formed and adheres to a list of safe values. If the regular expression is not anchored, malicious or malformed data may be included before or after any string matching the regular expression. The type of malicious data that is allowed will depend on the context of the application and which anchors are omitted from the regular expression.

What are the security consequences of Regular Expression without Anchors?+

If exploited, CWE-777 (Regular Expression without Anchors) it can compromise Availability, Confidentiality and Access Control, leading to outcomes such as Bypass Protection Mechanism.

How do you prevent or mitigate Regular Expression without Anchors?+

Recommended mitigations for CWE-777 include: Be sure to understand both what will be matched and what will not be matched by a regular expression. Anchoring the ends of the expression will allow the programmer to define an allowlist strictly limited to what is matched by the text in the regular expression. If you are using a package that only matches one line by default, ensure that you can match multi-line inputs if necessary.

What are real-world examples of Regular Expression without Anchors?+

MITRE documents real CVEs mapped to CWE-777, including CVE-2022-30034. You can look up the full details of each CVE, including CVSS scores and remediation guidance, on our CVE Lookup tool.

What is the difference between a CWE and a CVE?+

A CWE (Common Weakness Enumeration) like CWE-777 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.

Learn More