Security Vulnerability: ReDoS (Regular Expression Denial of Service) in jsonata-python
Summary
The jsonata-python library version 0.6.3 is vulnerable to Regular Expression Denial of Service (ReDoS). User-controlled input in JSONata expressions is passed directly to Python's re.compile() without sanitization, allowing an attacker to supply crafted regex patterns that cause catastrophic backtracking and hang the process.
Affected Package
Vulnerability Details
In tokenizer.py lines 124-160, the JSONata tokenizer extracts the pattern between /../ delimiters from a JSONata expression and passes it directly to re.compile(). Because no validation or sanitization is applied to the pattern string before compilation, an attacker who controls the JSONata expression input can supply an arbitrarily complex regex (e.g., one with nested quantifiers) that triggers catastrophic backtracking in the Python re engine. This causes the process to consume 100% CPU and become unresponsive for an extended or indefinite period.
The attack vector is any application that accepts user-supplied JSONata expressions and evaluates them using this library — a common pattern in data transformation pipelines and API gateways.
Proof of Concept
import jsonata
# Crafted JSONata expression containing a ReDoS regex pattern.
# The pattern (a+)+ against a long non-matching string triggers catastrophic backtracking.
malicious_expression = "/^(a+)+$/"
# Provide a long input string that causes backtracking to explode.
evil_input = "a" * 30 + "!"
# This call will hang the Python process (CPU spins at 100%).
result = jsonata.Jsonata(malicious_expression).evaluate(evil_input)
Impact
An unauthenticated remote attacker who can supply JSONata expressions (or control data fed into a JSONata expression that includes a regex literal) can cause a Denial of Service by exhausting CPU resources on the host process. This may render the application completely unavailable until the process is restarted.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Remediation
- Input validation: Before passing the extracted regex pattern to
re.compile(), validate it against an allowlist of safe constructs and reject patterns with nested or ambiguous quantifiers.
- Use a safe regex engine: Replace Python's built-in
re with the regex module or the re2 binding (google-re2) which guarantees linear-time matching and is immune to ReDoS.
- Timeout / resource limit: Wrap
re.compile() and pattern.match() / pattern.search() calls in a signal-based or concurrent.futures-based timeout so that any long-running match is interrupted after a configurable deadline.
- Upgrade guidance: A patched release should be published to PyPI and the fix backported if the 0.x line is still supported.
Disclosure Timeline
- 2026-07-02: Discovered via DAST scan
- 2026-07-02: Reported to maintainer
Security Vulnerability: ReDoS (Regular Expression Denial of Service) in jsonata-python
Summary
The jsonata-python library version 0.6.3 is vulnerable to Regular Expression Denial of Service (ReDoS). User-controlled input in JSONata expressions is passed directly to Python's
re.compile()without sanitization, allowing an attacker to supply crafted regex patterns that cause catastrophic backtracking and hang the process.Affected Package
Vulnerability Details
In
tokenizer.pylines 124-160, the JSONata tokenizer extracts the pattern between/../delimiters from a JSONata expression and passes it directly tore.compile(). Because no validation or sanitization is applied to the pattern string before compilation, an attacker who controls the JSONata expression input can supply an arbitrarily complex regex (e.g., one with nested quantifiers) that triggers catastrophic backtracking in the Pythonreengine. This causes the process to consume 100% CPU and become unresponsive for an extended or indefinite period.The attack vector is any application that accepts user-supplied JSONata expressions and evaluates them using this library — a common pattern in data transformation pipelines and API gateways.
Proof of Concept
Impact
An unauthenticated remote attacker who can supply JSONata expressions (or control data fed into a JSONata expression that includes a regex literal) can cause a Denial of Service by exhausting CPU resources on the host process. This may render the application completely unavailable until the process is restarted.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Remediation
re.compile(), validate it against an allowlist of safe constructs and reject patterns with nested or ambiguous quantifiers.rewith theregexmodule or there2binding (google-re2) which guarantees linear-time matching and is immune to ReDoS.re.compile()andpattern.match()/pattern.search()calls in asignal-based orconcurrent.futures-based timeout so that any long-running match is interrupted after a configurable deadline.Disclosure Timeline