Intel

AIKIDO-2026-342953

@ibm-cloud/openapi-ruleset is vulnerable to Regular Expression Denial of Service (ReDoS)

Regular Expression Denial of Service (ReDoS) Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published Yesterday

53

Medium Risk

This Affects:

JS@ibm-cloud/openapi-ruleset
1.14.1 - 1.33.10
Fixed in 1.33.11
Are you affected? Scan for Free

TL;DR

@ibm-cloud/openapi-ruleset validates OpenAPI documents against IBM Cloud API conventions using Spectral rules. The ibm-schema-casing-convention and ibm-parameter-casing-convention rules check schema names and header parameter names with regular expressions that use overlapping, ambiguous quantifiers. A crafted schema name or header parameter name triggers catastrophic backtracking, causing the validation process to exhaust CPU and hang. The fix rewrites both patterns so they match in linear time while keeping the same validation logic.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and you run the validator against OpenAPI documents from untrusted sources.

Background info

@ibm-cloud/openapi-ruleset is vulnerable to Regular Expression Denial of Service (ReDoS) in versions 1.14.1 - 1.33.10.

How to fix this

Upgrade the @ibm-cloud/openapi-ruleset library to the patch version.