SB2026071793 - Multiple vulnerabilities in JSONata
Published: July 17, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 4 vulnerabilities.
1) Inefficient regular expression complexity (CVE-ID: CVE-2026-52746)
CWE-ID: CWE-1333 - Inefficient Regular Expression Complexity
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to inefficient regular expression complexity in the $toMillis function when processing crafted format values in user-supplied JSONata expressions. A remote attacker can supply a specially crafted expression to cause a denial of service.
2) Improper access control (CVE-ID: N/A)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to improper access to object prototype properties in the lookup function when evaluating crafted JSONata expressions. A remote attacker can supply a specially crafted expression to execute arbitrary code.
3) Improper access control (CVE-ID: N/A)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to improper access control in environment.lookup when evaluating crafted JSONata expressions. A remote attacker can supply a specially crafted expression to execute arbitrary code.
4) Code Injection (CVE-ID: N/A)
CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to improper control over dynamically managed code resources in expression evaluation logic when processing crafted JSONata expressions. A remote attacker can supply a specially crafted expression to execute arbitrary code.
The issue can be triggered by chaining multiple expression-manipulation behaviors, including overwriting $clone, destructuring functions or lambdas, and abusing proc.arguments.forEach in applyProcedure.
Remediation
Install update from vendor's website.
References
- https://github.com/jsonata-js/jsonata/security/advisories/GHSA-86vw-mfpg-wwv9
- https://github.com/jsonata-js/jsonata/releases/tag/v2.2.0
- https://github.com/jsonata-js/jsonata/security/advisories/GHSA-8gq3-vp5j-2grp
- https://github.com/jsonata-js/jsonata/commit/4c5f4adfb90a9b500889d50f90050ca68888b50d
- https://github.com/jsonata-js/jsonata/security/advisories/GHSA-2943-5xfg-gq5f
- https://github.com/jsonata-js/jsonata/commit/c41ef185136a7b96ca1049c7745a7503b82193de
- https://github.com/jsonata-js/jsonata/security/advisories/GHSA-66mm-25pp-rfff