LightRAG OpenSearch Backend Exposed to Wildcard DoS via Unsanitized Search Input (CWE-89)

A security researcher has identified and patched a vulnerability in LightRAG's OpenSearch integration that allows authenticated users to trigger denial-of-service conditions by injecting pathological wildcard patterns into search queries. The flaw, traced to improper input handling in `lightrag/kg/opensearch_impl.py`, enables a well-known Lucene wildcard DoS vector classified under CWE-89 and CWE-1333.

The vulnerable code resides in the `search_labels()` function, which accepts user-supplied query strings and lowercases them before embedding the input directly into a Lucene wildcard clause. Because no sanitization occurs prior to interpolation, an authenticated attacker can craft inputs that produce extreme term enumeration workloads on the OpenSearch backend. The same exposure extends to PPL (Piped Processing Language) string literals through the related `_escape_ppl()` function. Attackers can reach the flaw by calling `GET /graph/label/search?label=...` when LightRAG is configured to use OpenSearch as its graph storage backend.

The maintainers classify the severity as medium. The vulnerability permits authenticated DoS against the search infrastructure but does not enable remote code execution or direct data exfiltration. The fix introduces proper escaping of wildcard metacharacters, closing the injection vector without altering the function's intended behavior. Projects using LightRAG with OpenSearch storage should verify they have pulled the latest code changes and restart any affected services to apply the patch.