Skip to content

Security: redos in jsonata-python #40

Description

@gnsehfvlr

Security Vulnerability: ReDoS (Regular Expression Denial of Service) in jsonata-python

Summary

The jsonata-python library version 0.6.3 is vulnerable to Regular Expression Denial of Service (ReDoS). User-controlled input in JSONata expressions is passed directly to Python's re.compile() without sanitization, allowing an attacker to supply crafted regex patterns that cause catastrophic backtracking and hang the process.

Affected Package

Vulnerability Details

In tokenizer.py lines 124-160, the JSONata tokenizer extracts the pattern between /../ delimiters from a JSONata expression and passes it directly to re.compile(). Because no validation or sanitization is applied to the pattern string before compilation, an attacker who controls the JSONata expression input can supply an arbitrarily complex regex (e.g., one with nested quantifiers) that triggers catastrophic backtracking in the Python re engine. This causes the process to consume 100% CPU and become unresponsive for an extended or indefinite period.

The attack vector is any application that accepts user-supplied JSONata expressions and evaluates them using this library — a common pattern in data transformation pipelines and API gateways.

Proof of Concept

import jsonata

# Crafted JSONata expression containing a ReDoS regex pattern.
# The pattern (a+)+ against a long non-matching string triggers catastrophic backtracking.
malicious_expression = "/^(a+)+$/"

# Provide a long input string that causes backtracking to explode.
evil_input = "a" * 30 + "!"

# This call will hang the Python process (CPU spins at 100%).
result = jsonata.Jsonata(malicious_expression).evaluate(evil_input)

Impact

An unauthenticated remote attacker who can supply JSONata expressions (or control data fed into a JSONata expression that includes a regex literal) can cause a Denial of Service by exhausting CPU resources on the host process. This may render the application completely unavailable until the process is restarted.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Remediation

  1. Input validation: Before passing the extracted regex pattern to re.compile(), validate it against an allowlist of safe constructs and reject patterns with nested or ambiguous quantifiers.
  2. Use a safe regex engine: Replace Python's built-in re with the regex module or the re2 binding (google-re2) which guarantees linear-time matching and is immune to ReDoS.
  3. Timeout / resource limit: Wrap re.compile() and pattern.match() / pattern.search() calls in a signal-based or concurrent.futures-based timeout so that any long-running match is interrupted after a configurable deadline.
  4. Upgrade guidance: A patched release should be published to PyPI and the fix backported if the 0.x line is still supported.

Disclosure Timeline

  • 2026-07-02: Discovered via DAST scan
  • 2026-07-02: Reported to maintainer

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions