CVE-2025-69873

LOW EPSS 32.5%
Published Feb 11, 20264mo ago · Modified Jun 17, 20261w ago
2.9 CVSS 3.1
Low
Find Similar
Published Feb 11, 2026 4mo ago
Last Modified Jun 17, 2026 1w ago

Description

ajv (Another JSON Schema Validator) before 8.18.0 is vulnerable to Regular Expression Denial of Service (ReDoS) when the $data option is enabled. The pattern keyword accepts runtime data via JSON Pointer syntax ($data reference), which is passed directly to the JavaScript RegExp() constructor without validation. An attacker can inject a malicious regex pattern (e.g., "^(a|a)*$") combined with crafted input to cause catastrophic backtracking. A 31-character payload causes approximately 44 seconds of CPU blocking, with each additional character doubling execution time. This enables complete denial of service with a single HTTP request against any API using ajv with $data: true for dynamic schema validation. This issue is also fixed in version 6.14.0.

CVSS Details

Base Score
2.9
Exploitability
1.4
Impact
1.4
Vector string
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
Attack Vector Local
Attack Complexity High
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality None
Integrity None
Availability Low

Threat Intelligence

EPSS Exploit Probability
32.5% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

Weaknesses 2

CWE-1333
CWE-400 Uncontrolled Resource Consumption Resource Mgmt

References 6

  • github.com https://github.com/EthanKim88/ethan-cve-disclosures/blob/main/CVE-2025-69873-ajv-ReDoS.md
  • github.com https://github.com/advisories/GHSA-2g4f-4pwh-qvx6
  • github.com https://github.com/ajv-validator/ajv/pull/2588
  • github.com https://github.com/ajv-validator/ajv/pull/2590
  • github.com https://github.com/ajv-validator/ajv/releases/tag/v6.14.0
  • github.com https://github.com/github/advisory-database/pull/6991

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.