Description
A regular expression is overly restrictive, which prevents dangerous values from being detected.
Extended Description
This weakness is not about regular expression complexity. Rather, it is about a regular expression that does not match all values that are intended. Consider the use of a regexp to identify acceptable values or to spot unwanted terms. An overly restrictive regexp misses some potentially security-relevant values leading to either false positives *or* false negatives, depending on how the regexp is being used within the code. Consider the expression /[0-8]/ where the intention was /[0-9]/. This expression is not "complex" but the value "9" is not matched when maybe the programmer planned to check for it.
CVE vulnerabilities with CWE-186 (2)
5.3
CVSS
MEDIUM
CVE-2025-46821
pub. 2025-05-07
2.1
CVSS
LOW
CVE-2026-47241
pub. 2026-06-22