When complex REGEX is used, timeout setting is ignored and the query can take way longer than timeout setting allows. Example:
This probably happens because the engine uses java.util.regex which ignores interrupts (e.g. https://stackoverflow.com/q/7125732/214196) so even though timeout expires, regex continues to run. This has DoS potential for public endpoints.