Intel

AIKIDO-2026-37781

datadog/dd-trace is vulnerable to Regular Expression Denial of Service (ReDoS)

Regular Expression Denial of Service (ReDoS) Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published 2 days ago

59

Medium Risk

This Affects:

PHPdatadog/dd-trace
1.19.0 - 1.19.0
Fixed in 1.19.1
Are you affected? Scan for Free

TL;DR

The PDO integration normalizes SQL statements in PDOIntegration::useQuestionMarkPlaceholders() using a PCRE pattern that replaces named :placeholder parameters with ?. On queries containing a very large number of named placeholders or a large amount of trailing text, the regex exhibits catastrophic backtracking and near-quadratic processing cost, causing the traced request to consume excessive CPU and hit fatal execution-time limits. Repeated processing of such queries can degrade or exhaust worker capacity. The fix skips normalization for queries longer than 10000 bytes and rewrites the pattern with possessive quantifiers and a \Z(*COMMIT) anchor to prevent backtracking after the last match.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and the traced PDO integration processes SQL queries containing a large number of named placeholders.

Background info

datadog/dd-trace is vulnerable to Regular Expression Denial of Service (ReDoS) in versions 1.19.0 - 1.19.0.

How to fix this

Upgrade the datadog/dd-trace library to the patch version.