On Thursday 17th at 10am CET, Contentful made an important security update to our content type field validations that use Regular Expressions. These validations live in the content type fields, for example to enforce a specific input pattern when creating or updating entries. This change will block updates to content type validations that include potentially dangerous terms, but will not prevent publication or other content type changes.

On Tuesday 17th May, we will make a further update that will prevent publication from content types that contain the potentially dangerous terms.

This change will impact customers who use certain RegEx terms to enforce formatting or validation in their content types, which will no longer be permitted. Please see below for more details on when these changes will affect different customers.

We are in the process of directly contacting Org Admins at customers who use these validations to flag which content types contain these terms this week. We cannot offer specific instructions on how to change each validation, but these communications include general guidelines to simplify the process.

Customer impacts

Community & Team customers can still edit affected content types, but only if they leave the regular expression validation untouched. From today this means that new or updated content types must comply with our new requirements for validations. Other changes to affected content types are still possible, as is publication of entries using content types.

From May 17th, all content types must comply with our new requirements. If content types are not updated to use accepted validations, it will not be possible to publish new entries with those content types. Already published content will not be affected.

Premium/Enterprise customers can still make changes to their content type validations. They have three months to make the required changes and ensure there is no disruption to their workflows in affected content types before the May 17th updates.

These updates to our regular expression engine are a proactive preventative measure against potential "ReDoS" attacks and ensure that our customers continue to have the service they expect from Contentful (you can read more about them over at OWASP.