What does the Private / Reserved IPv4 Ranges regex match?

Matches IPv4 addresses in private or reserved ranges (RFC 1918, loopback, link-local, etc.).

Is the Private / Reserved IPv4 Ranges regex ReDoS-safe?

Yes. Manually audited and tested against ReDoS attack strings. Anchors and possessive-style constraints prevent runaway backtracking paths.

Security/Network Security

Verified Safe

Private / Reserved IPv4 Ranges Regex for Python

/^(?:10\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)|172\.(?:1[6-9]|2[0-9]|3[01])\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)|192\.168\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)|127\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)|169\.254\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))$/

What this pattern does

This page provides a comprehensive, battle-tested regular expression for matching private / reserved ipv4 ranges, ported and verified for Python. In security-sensitive code, using an unverified regex can open the door to both false positives and denial-of-service attacks. The snippet below is ready to drop into your Python project — whether you're validating in a Django view, a FastAPI endpoint, or a standalone data processing script.

Python Implementation

Python

# Private / Reserved IPv4 Ranges
# ReDoS-safe | RegexVault — Security > Network Security

import re

private_reserved_ipv4_ranges_pattern = re.compile(r'^(?:10\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)|172\.(?:1[6-9]|2[0-9]|3[01])\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)|192\.168\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)|127\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)|169\.254\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))$')

def validate_private_reserved_ipv4_ranges(value: str) -> bool:
    return bool(private_reserved_ipv4_ranges_pattern.fullmatch(value))

# Example
print(validate_private_reserved_ipv4_ranges("10.0.0.1"))  # True

Test Cases

Matches (Valid)	Rejects (Invalid)
`10.0.0.1`	`8.8.8.8`
`172.16.0.1`	`1.1.1.1`
`192.168.1.1`	`172.15.0.1`
`127.0.0.1`	`172.32.0.1`
`169.254.0.1`	`11.0.0.1`

When to use this pattern

This pattern is drawn from the Security > Network Security category and carries a ReDoS-safe certification. That matters for Python developers because particularly important in Python web servers where CPU-bound regex operations can stall concurrent request handling. RegexVault audits patterns against known backtracking attack vectors, ensuring you have the necessary context before using this regex in a high-stakes production environment.

Common Pitfalls

SSRF (Server-Side Request Forgery) attacks often use private IP addresses to reach internal services. Additional ranges to block: 0.0.0.0/8 (current network), 100.64.0.0/10 (shared address space), 240.0.0.0/4 (reserved). Also handle IPv6 equivalents.

Technical Notes

Private ranges: 10.0.0.0/8 (Class A, RFC 1918), 172.16.0.0/12 (Class B, RFC 1918), 192.168.0.0/16 (Class C, RFC 1918), 127.0.0.0/8 (loopback), 169.254.0.0/16 (link-local APIPA). Use for SSRF protection: reject private IPs in user-supplied URLs.

Have a pattern that belongs in the vault?

Submit it for review — community-verified patterns get credited to your GitHub handle. Free submissions join the queue. Priority review available for $15.

Submit a Pattern