datadog/dd-trace is vulnerable to Regular Expression Denial of Service (ReDoS)
59
Medium Risk
The PDO integration normalizes SQL statements in PDOIntegration::useQuestionMarkPlaceholders() using a PCRE pattern that replaces named :placeholder parameters with ?. On queries containing a very large number of named placeholders or a large amount of trailing text, the regex exhibits catastrophic backtracking and near-quadratic processing cost, causing the traced request to consume excessive CPU and hit fatal execution-time limits. Repeated processing of such queries can degrade or exhaust worker capacity. The fix skips normalization for queries longer than 10000 bytes and rewrites the pattern with possessive quantifiers and a \Z(*COMMIT) anchor to prevent backtracking after the last match.
You are affected if you are using a version that falls within the vulnerable range and the traced PDO integration processes SQL queries containing a large number of named placeholders.
datadog/dd-trace is vulnerable to Regular Expression Denial of Service (ReDoS) in versions 1.19.0 - 1.19.0.
Upgrade the datadog/dd-trace library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant