GHSA-86vw-mfpg-wwv9
jsonata: Malicious inputs to "$toMillis" function can cause resource exhaustion
Details
### Impact In JSONata `<v2.2.0`, it is possible to craft non-matching inputs to the [$toMillis](https://docs.jsonata.org/date-time-functions#tomillis) function that cause superlinear backtracking in the ISO-8601 validation regex. This may lead to denial of service in applications that evaluate user-provided JSONata expressions.
### Patches This issue has been addressed in JSONata version >= 2.2.0 via fixes that include https://github.com/jsonata-js/jsonata/pull/782 and https://github.com/jsonata-js/jsonata/pull/793. Applications that evaluate user-provided expressions should update ASAP to prevent exploitation.
### References https://github.com/jsonata-js/jsonata/releases/tag/v2.2.0
### Credit Thank you to Doruk Tan Öztürk for disclosing this issue.
Are you affected?
Enter the version of the package you're using.
Affected packages
References
- https://github.com/jsonata-js/jsonata/security/advisories/GHSA-86vw-mfpg-wwv9 [WEB]
- https://github.com/jsonata-js/jsonata/pull/782 [WEB]
- https://github.com/jsonata-js/jsonata/pull/793 [WEB]
- https://github.com/jsonata-js/jsonata/commit/80ba95d170f74e3f20f4f36b8b77d8c85cea7686 [WEB]
- https://github.com/jsonata-js/jsonata/commit/d6ffc17cb16a8e53c222205bd274624e919cce0b [WEB]
- https://github.com/jsonata-js/jsonata [PACKAGE]
- https://github.com/jsonata-js/jsonata/releases/tag/v2.2.0 [WEB]