CVE-2026-52746

jsonata-js · jsonata

The JSONata library is vulnerable to a denial of service attack through inefficient regular expression complexity, which can be triggered by specifically crafted input.

Executive summary

A denial of service vulnerability in the JSONata library allows unauthenticated attackers to cause high resource consumption via complex regular expressions.

Vulnerability

The library suffers from inefficient regular expression complexity (CWE-1333), which an unauthenticated attacker can exploit by submitting malicious payloads that exhaust system processing resources.

Business impact

By exploiting this vulnerability, attackers can induce high CPU usage and cause the application to become unresponsive, leading to service degradation or complete denial of service. The CVSS score of 7.5 reflects the high risk this poses to the availability of applications utilizing the library for JSON transformations.

Remediation

Immediate Action: Update the JSONata library to version 2.2.0 or later, which includes fixes for regex processing efficiency.

Proactive Monitoring: Monitor application performance and system resource metrics for sudden spikes in CPU utilization that correlate with incoming data processing requests.

Compensating Controls: Implement input size limits and timeouts for JSON processing tasks to mitigate the impact of resource-intensive operations while the update is being staged.

Exploitation status

Public Exploit Available: No

Analyst recommendation

Given the ease with which this vulnerability can be automated to cause service disruption, upgrading to version 2.2.0 should be treated as a high priority. Organizations should also ensure that any custom input validation is in place to protect against similar resource-exhaustion vectors.