Ejecuta análisis estático (SAST) sobre el código buscando el patrón inseguro en el flujo de datos.
CWE-777 Variante Incompleto
Regular Expression without Anchors
This vulnerability occurs when a regular expression used for validation or sanitization lacks anchors, allowing unintended characters or malicious payloads to bypass security checks.
Definición
What is CWE-777?
This vulnerability occurs when a regular expression used for validation or sanitization lacks anchors, allowing unintended characters or malicious payloads to bypass security checks.
Anchors like ^ (start of string) and $ (end of string) are critical for security-focused regular expressions. Without them, your pattern only needs to match a portion of the input, not the entire string. This means an attacker can prepend or append malicious content to an otherwise valid value, effectively sneaking dangerous data past your filter.
The impact depends on the missing anchor and the application's context. For example, omitting the start anchor allows payloads before a valid pattern, while omitting the end anchor permits trailing malicious code. Always anchor regex patterns used for input validation, allowlisting, or sanitization to enforce a complete match from start to finish.
Impacto en el mundo real
Real-world CVEs caused by CWE-777
-
Chain: Web UI for a Python RPC framework does not use regex anchors to validate user login emails (CWE-777), potentially allowing bypass of OAuth (CWE-1390).
Cómo lo explotan los atacantes
Ruta del atacante paso a paso
- 1
Consider a web application that supports multiple languages. It selects messages for an appropriate language by using the lang parameter.
- 2
The previous code attempts to match only alphanumeric values so that language values such as "english" and "french" are valid while also protecting against path traversal, CWE-22. However, the regular expression anchors are omitted, so any text containing at least one alphanumeric character will now pass the validation step. For example, the attack string below will match the regular expression.
- 3
If the attacker can inject code sequences into a file, such as the web server's HTTP request log, then the attacker may be able to redirect the lang parameter to the log file and execute arbitrary code.
- 4
This code uses a regular expression to validate an IP string prior to using it in a call to the "ping" command.
- 5
Since the regular expression does not have anchors (CWE-777), i.e. is unbounded without ^ or $ characters, then prepending a 0 or 0x to the beginning of the IP address will still result in a matched regex pattern. Since the ping command supports octal and hex prepended IP addresses, it will use the unexpectedly valid IP address (CWE-1389). For example, "0x63.63.63.63" would be considered equivalent to "99.63.63.63". As a result, the attacker could potentially ping systems that the attacker cannot reach directly.
Ejemplo de código vulnerable
Vulnerable PHP
Consider a web application that supports multiple languages. It selects messages for an appropriate language by using the lang parameter.
$dir = "/home/cwe/languages";
$lang = $_GET['lang'];
if (preg_match("/[A-Za-z0-9]+/", $lang)) {
include("$dir/$lang");
}
else {
echo "You shall not pass!\n";
} Payload del atacante
The previous code attempts to match only alphanumeric values so that language values such as "english" and "french" are valid while also protecting against path traversal, CWE-22. However, the regular expression anchors are omitted, so any text containing at least one alphanumeric character will now pass the validation step. For example, the attack string below will match the regular expression.
../../etc/passwd Ejemplo de código seguro
Secure pseudo
// Validate, sanitize, or use a safe API before reaching the sink.
function handleRequest(input) {
const safe = validateAndEscape(input);
return executeWithGuards(safe);
} What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.
Lista de prevención
How to prevent CWE-777
- Implementation Be sure to understand both what will be matched and what will not be matched by a regular expression. Anchoring the ends of the expression will allow the programmer to define an allowlist strictly limited to what is matched by the text in the regular expression. If you are using a package that only matches one line by default, ensure that you can match multi-line inputs if necessary.
Señales de detección
How to detect CWE-777
Ejecuta pruebas dinámicas de seguridad de aplicaciones (DAST) contra el endpoint en vivo.
Vigila los logs en tiempo de ejecución para detectar trazas de excepción inusuales, entradas malformadas o intentos de bypass de autorización.
Revisión de código: marca cualquier código nuevo que maneje entrada desde esta superficie sin usar los helpers validados del framework.
Plexicus detecta automáticamente CWE-777 y abre un PR de corrección en menos de 60 segundos.
Codex Remedium escanea cada commit, identifica esta debilidad concreta y entrega un pull request listo para revisión con el parche. Sin tickets. Sin traspasos.
Preguntas frecuentes ¿Qué es CWE-777?
¿Qué gravedad tiene CWE-777?
¿Qué lenguajes o plataformas se ven afectados por CWE-777?
¿Cómo puedo prevenir CWE-777?
¿Cómo detecta y corrige Plexicus CWE-777?
¿Dónde puedo aprender más sobre CWE-777?
Frequently asked questions
¿Qué es CWE-777?
This vulnerability occurs when a regular expression used for validation or sanitization lacks anchors, allowing unintended characters or malicious payloads to bypass security checks.
¿Qué gravedad tiene CWE-777?
MITRE califica la probabilidad de explotación como Media — la explotación es realista pero suele requerir condiciones específicas.
¿Qué lenguajes o plataformas se ven afectados por CWE-777?
MITRE no ha especificado plataformas afectadas para esta CWE — puede aplicar a la mayoría de los stacks de aplicaciones.
¿Cómo puedo prevenir CWE-777?
Be sure to understand both what will be matched and what will not be matched by a regular expression. Anchoring the ends of the expression will allow the programmer to define an allowlist strictly limited to what is matched by the text in the regular expression. If you are using a package that only matches one line by default, ensure that you can match multi-line inputs if necessary.
¿Cómo detecta y corrige Plexicus CWE-777?
El motor SAST de Plexicus detecta la firma de flujo de datos para CWE-777 en cada commit. Cuando hay coincidencia, nuestro agente Codex Remedium abre un PR de corrección con el código corregido, las pruebas y un resumen de una línea para el revisor.
¿Dónde puedo aprender más sobre CWE-777?
MITRE publica la definición canónica en https://cwe.mitre.org/data/definitions/777.html. También puedes consultar la documentación de OWASP y NIST para guías relacionadas.
Debilidades relacionadas
Weaknesses related to CWE-777
Listo cuando tú lo estés
Deja de pagar por desarrollador.
Empieza a cerrar el bucle.
Plexicus es el ASPM nativo de IA que escanea, filtra, corrige, pentestea y explica — de forma autónoma. Desarrolladores ilimitados, repos ilimitados, acciones de IA de uso justo. Nivel gratuito real, €269/mo anual cuando estés listo.