logo

Executable Regular Expression Error

Incomplete Base
Structure: Simple
Description

This vulnerability occurs when an application uses a regular expression that can execute code, either because it directly contains executable logic with unsafe user input, or because an attacker can inject pattern modifiers that enable code execution.

Extended Description

This flaw typically manifests in two ways. First, when user-supplied data is directly embedded into a regular expression pattern that gets evaluated as executable code, allowing an attacker to break out of the pattern context and run arbitrary commands. Second, and more subtly, when an attacker can inject special pattern modifiers (like the 'e' modifier in PHP's `preg_replace()`) that instruct the regex engine to execute the replacement string as code, effectively turning a simple text substitution into a remote code execution vulnerability. Developers should treat all user input destined for regex patterns as untrusted and avoid dynamically constructing patterns with it whenever possible. Special attention is required for functions like PHP's `preg_replace()` that historically supported the dangerous 'e' modifier, but the principle applies to any language or library where regex evaluation can cross into code execution. Always use safe, predefined patterns or rigorously validate and sanitize input to prevent modifier injection.
Common Consequences 1
Scope: ConfidentialityIntegrityAvailability

Impact: Execute Unauthorized Code or Commands
Potential Mitigations 1
Phase: Implementation
The regular expression feature in some languages allows inputs to be quoted or escaped before insertion, such as \Q and \E in Perl.
Observed Examples 4
CVE-2006-2059Executable regexp in PHP by inserting "e" modifier into first argument to preg_replace
CVE-2005-3420Executable regexp in PHP by inserting "e" modifier into first argument to preg_replace
CVE-2006-2878Complex curly syntax inserted into the replacement argument to PHP preg_replace(), which uses the "/e" modifier
CVE-2006-2908Function allows remote attackers to execute arbitrary PHP code via the username field, which is used in a preg_replace function call with a /e (executable) modifier.
Applicable Platforms
Languages:
PHP : UndeterminedPerl : Undetermined
Modes of Introduction
Implementation
Related Weaknesses
ChildOf: Improper Neutralization of Special Elements used in a Command ('Command Injection') (CWE-77)
ChildOf: Improper Neutralization of Special Elements used in a Command ('Command Injection') (CWE-77)
ChildOf: Improper Neutralization of Special Elements used in a Command ('Command Injection') (CWE-77)
Taxonomy Mapping
  • Software Fault Patterns
Notes
Research GapUnder-studied. The existing PHP reports are limited to highly skilled researchers, but there are few examples for other languages. It is suspected that this is under-reported for all languages. Usability factors might make it more prevalent in PHP, but this theory has not been investigated.