CVE Catalog

CVE-2025-69873

LowCVSS 2.9
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.49%

39th percentile — higher than 39% of all known CVEs

Summary

A ReDoS vulnerability in ajv (Another JSON Schema Validator) before version 8.18.0 allows an attacker to cause a denial of service (DoS) by injecting a malicious regex pattern into the $data option. A single HTTP request with a 31-character payload can block the CPU for approximately 44 seconds.

Risk Assessment

The risk is a complete denial of service for any application or API using ajv with $data: true enabled, making the service unavailable to legitimate users. The attack is easy to execute and requires no authentication.

Recommendation

Immediately update ajv to version 8.18.0 or later (or 6.14.0 for the 6.x branch). If an update is not possible, disable the $data option in the schema validation configuration.

Original NVD description (English source)

ajv (Another JSON Schema Validator) before 8.18.0 is vulnerable to Regular Expression Denial of Service (ReDoS) when the $data option is enabled. The pattern keyword accepts runtime data via JSON Pointer syntax ($data reference), which is passed directly to the JavaScript RegExp() constructor without validation. An attacker can inject a malicious regex pattern (e.g., "^(a|a)*$") combined with crafted input to cause catastrophic backtracking. A 31-character payload causes approximately 44 seconds of CPU blocking, with each additional character doubling execution time. This enables complete denial of service with a single HTTP request against any API using ajv with $data: true for dynamic schema validation. This issue is also fixed in version 6.14.0.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS