CVE-2025-69873

Name of the Vulnerable Software and Affected Versions ajv versions through 8.17.1

Description ajv (Another JSON Schema Validator) is susceptible to Regular Expression Denial of Service (ReDoS) when the $data option is enabled. The pattern keyword accepts runtime data through JSON Pointer syntax ($data reference) and passes it directly to the JavaScript RegExp() constructor without validation. An attacker can inject a malicious regular expression pattern, such as ^(a|a)*$, combined with crafted input, to trigger catastrophic backtracking. A 31-character payload can cause approximately 44 seconds of CPU blocking, with execution time doubling with each additional character. This can lead to a complete denial of service with a single HTTP request against any API utilizing ajv with $data: true for dynamic schema validation. The vulnerable component is the RegExp() constructor used in conjunction with the pattern keyword.

Recommendations Versions prior to 8.17.1 should be used. Disable the $data option when using ajv for schema validation.