Denial of Service Vulnerability in JSONata Prior to Version 2.2.0
CVE-2026-52746
7.5HIGH
What is CVE-2026-52746?
The JSONata query and transformation language, prior to version 2.2.0, is susceptible to a denial of service attack. Malicious actors can exploit non-matching inputs to the $toMillis function, triggering superlinear backtracking in the ISO-8601 validation regular expressions. This results in significant performance degradation and potential service outages in applications that process user-provided JSONata expressions. Version 2.2.0 addresses this vulnerability, ensuring improved handling of inputs and enhanced stability.
Affected Version(s)
jsonata < 2.2.0
