google-adk is vulnerable to Regular Expression Denial of Service (ReDoS)
59
Medium Risk
The google-adk code executor extracts code blocks from model response text using a regular expression that combines nested lazy wildcards with DOTALL matching. When a response contains an opening code-block delimiter but no matching trailing delimiter, the pattern enters catastrophic backtracking that scales quadratically with the input length. Processing a large delimiter-free or unterminated response then consumes CPU for an extended period and stalls the agent turn, blocking execution and bypassing configured timeouts. The fix replaces the regular expression with a linear string search that locates delimiters without backtracking.
You are affected if you are using a version that falls within the vulnerable range and your agents use a code executor that processes large or untrusted model responses.
google-adk is vulnerable to Regular Expression Denial of Service (ReDoS) in versions 0.0.2 - 2.2.0.
Upgrade the google-adk library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant