<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>JSONata - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/vendors/jsonata/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Fri, 03 Jul 2026 11:29:50 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/vendors/jsonata/feed.xml" rel="self" type="application/rss+xml"/><item><title>JSONata $toMillis Function Vulnerability Leads to Denial of Service (CVE-2026-52746)</title><link>https://feed.craftedsignal.io/briefs/2026-07-jsonata-dos/</link><pubDate>Fri, 03 Jul 2026 11:29:50 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-jsonata-dos/</guid><description>A high-severity vulnerability, CVE-2026-52746, in JSONata versions prior to 2.2.0 allows unauthenticated attackers to cause a denial of service by exploiting superlinear backtracking in the ISO-8601 validation regex through malicious inputs to the `$toMillis` function, leading to resource exhaustion and application unresponsiveness.</description><content:encoded><![CDATA[<p>A critical vulnerability, CVE-2026-52746, has been identified in JSONata versions prior to 2.2.0. This flaw enables attackers to initiate a denial of service (DoS) by leveraging specially crafted, non-matching inputs to the <code>$toMillis</code> function. These malicious inputs trigger superlinear backtracking within the ISO-8601 validation regex, resulting in significant CPU resource consumption. Applications that evaluate user-provided JSONata expressions are particularly susceptible, as exploitation can render them unresponsive or cause crashes. The issue was disclosed by Doruk Tan Öztürk and has been addressed in JSONata version 2.2.0 through fixes implemented in pull requests #782 and #793. Developers are urged to update their JSONata dependencies immediately to mitigate this risk.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Attacker crafts malicious JSONata expression</strong>: An attacker creates a JSONata expression specifically designed with non-matching inputs for the <code>$toMillis</code> function.</li>
<li><strong>Attacker delivers expression to vulnerable application</strong>: The malicious JSONata expression is submitted to a web application or service that processes user-controlled JSONata queries.</li>
<li><strong>Vulnerable application evaluates expression</strong>: The application, running an affected JSONata version (<code>&lt; 2.2.0</code>), attempts to evaluate the provided expression and validate the <code>$toMillis</code> input using its ISO-8601 regex.</li>
<li><strong>Regex backtracking consumes excessive resources</strong>: The malformed input triggers a superlinear backtracking issue within the ISO-8601 validation regex, leading to a significant increase in the application's CPU utilization.</li>
<li><strong>Application becomes unresponsive</strong>: Due to the consumed resources, the application experiences a denial of service, becoming slow, unresponsive, or crashing entirely.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-52746 results in a denial of service (DoS) condition for applications utilizing vulnerable JSONata versions. Affected organizations may experience application unresponsiveness, service outages, and potential data processing interruptions. While no specific victim counts or targeted sectors were provided, any application parsing untrusted JSONata expressions is at risk of resource exhaustion and service disruption.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Immediately upgrade JSONata to version <code>2.2.0</code> or newer to patch CVE-2026-52746.</li>
<li>Review applications that process user-provided JSONata expressions to ensure they are using patched versions of <code>npm/jsonata</code>.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>denial-of-service</category><category>nodejs</category><category>vulnerability</category><category>CVE-2026-52746</category></item></channel></rss>