AIKIDO-2026-10933

TL;DR

The jsonschema crate evaluates pattern and patternProperties via underlying regex and fancy-regex engines during instance validation. Certain schemas with very large bounded quantifiers (for example ^.{0,404600}$) can trigger an internal regex-engine panic when matching specific instances, aborting the host process instead of returning a validation error. Services that validate untrusted JSON Schemas or instances against attacker-influenced patterns are at risk of denial of service. Versions before 0.46.4 call catch_unwind around regex matching and map panics to RegexEngineFailure so validation fails safely.