CVE-2026-52746
Received Received - Intake

JSONata Prior to 2.2.0 ISO-8601 Regex Denial of Service

Vulnerability report for CVE-2026-52746, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-17

Last updated on: 2026-07-17

Assigner: GitHub, Inc.

Description

JSONata is a JSON query and transformation language. Prior to 2.2.0, malicious non-matching inputs to the $toMillis function can cause superlinear backtracking in the ISO-8601 validation regex, leading to denial of service in applications that evaluate user-provided JSONata expressions. This issue is fixed in version 2.2.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-17
Last Modified
2026-07-17
Generated
2026-07-18
AI Q&A
2026-07-17
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
jsonata jsonata 2.2.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1333 The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability affects the JSONata library before version 2.2.0. Malicious inputs to the $toMillis function can cause superlinear backtracking in the ISO-8601 validation regex, leading to denial of service in applications processing user-provided JSONata expressions.

Detection Guidance

To detect this vulnerability, check the version of JSONata in use. If it is below 2.2.0, the system is vulnerable. Commands to check the version include: npm list jsonata or checking the package.json file for the dependency version.

Impact Analysis

This vulnerability can cause resource exhaustion and denial of service in applications that evaluate user-provided JSONata expressions. It may lead to system downtime or degraded performance for services relying on JSONata for JSON query and transformation.

Compliance Impact

This vulnerability primarily impacts availability by causing denial of service through resource exhaustion in applications processing user-provided JSONata expressions. It does not directly affect data confidentiality or integrity, which are key focus areas for GDPR and HIPAA compliance. However, prolonged downtime could indirectly impact compliance by disrupting access to critical systems handling personal or health data.

Mitigation Strategies

Immediately update JSONata to version 2.2.0 or later. This can be done using npm update jsonata or by modifying the package.json file to specify version 2.2.0 and running npm install.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-52746. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart