CVEbaza.plCWE DictionaryCWE-624
Common Weakness Enumeration

CWE-624

Executable Regular Expression Error

Category: BaseCVE: 2
Description

The product uses a regular expression that either (1) contains an executable component with user-controlled inputs, or (2) allows a user to enable execution by inserting pattern modifiers.

Extended Description

Case (2) is possible in the PHP preg_replace() function, and possibly in other languages when a user-controlled input is inserted into a string that is later parsed as a regular expression.

CVE vulnerabilities with CWE-624 (2)
9.2
CVSS
CRITICAL
CVE-2026-25237

PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, use of preg_replace() with the /e modifier in bug update email handling can enable PHP code execution if attacker-controlled content reaches the evaluated replacement. This issue has been patched in version 1.33.0.

pub. 2026-02-03
7.5
CVSS
HIGH
CVE-2024-41655

TF2 Item Format helps users format TF2 items to the community standards. Versions of `tf2-item-format` since at least `4.2.6` and prior to `5.9.14` are vulnerable to a Regular Expression Denial of Service (ReDoS) attack when parsing crafted user input. This vulnerability can be exploited by an attacker to perform DoS attacks on any service that uses any `tf2-item-format` to parse user input. Version `5.9.14` contains a fix for the issue.

pub. 2024-07-23
Information
ID: CWE-624
Type: Base
Vulnerabilities: 2
MITRE CWE ↗
← CWE Dictionary