CVE-2026-52746
ADVISORY - githubSummary
Impact
In JSONata <v2.2.0, it is possible to craft non-matching inputs to the $toMillis function that cause superlinear backtracking in the ISO-8601 validation regex. This may lead to denial of service in applications that evaluate user-provided JSONata expressions.
Patches
This issue has been addressed in JSONata version >= 2.2.0 via fixes that include https://github.com/jsonata-js/jsonata/pull/782 and https://github.com/jsonata-js/jsonata/pull/793. Applications that evaluate user-provided expressions should update ASAP to prevent exploitation.
References
https://github.com/jsonata-js/jsonata/releases/tag/v2.2.0
Credit
Thank you to Doruk Tan Öztürk for disclosing this issue.
Common Weakness Enumeration (CWE)
Inefficient Regular Expression Complexity
Sign in to Docker Scout
See which of your images are affected by this CVE and how to fix them by signing into Docker Scout.
Sign in