GHSA-86vw-mfpg-wwv9HighCVSS 7.5

jsonata: Malicious inputs to "$toMillis" function can cause resource exhaustion

Published
July 2, 2026
Last Modified
July 2, 2026

🔗 CVE IDs covered (1)

📋 Description

Impact

In JSONata <v2.2.0, it is possible to craft non-matching inputs to the $toMillis function that cause superlinear backtracking in the ISO-8601 validation regex. This may lead to denial of service in applications that evaluate user-provided JSONata expressions.

Patches

This issue has been addressed in JSONata version >= 2.2.0 via fixes that include https://github.com/jsonata-js/jsonata/pull/782 and https://github.com/jsonata-js/jsonata/pull/793. Applications that evaluate user-provided expressions should update ASAP to prevent exploitation.

References

https://github.com/jsonata-js/jsonata/releases/tag/v2.2.0

Credit

Thank you to Doruk Tan Öztürk for disclosing this issue.

🎯 Affected products1

  • npm/jsonata:< 2.2.0

🔗 References (7)