{"id":"CVE-2025-69873","details":"ajv (Another JSON Schema Validator) before 8.18.0 is vulnerable to Regular Expression Denial of Service (ReDoS) when the $data option is enabled. The pattern keyword accepts runtime data via JSON Pointer syntax ($data reference), which is passed directly to the JavaScript RegExp() constructor without validation. An attacker can inject a malicious regex pattern (e.g., \"^(a|a)*$\") combined with crafted input to cause catastrophic backtracking. A 31-character payload causes approximately 44 seconds of CPU blocking, with each additional character doubling execution time. This enables complete denial of service with a single HTTP request against any API using ajv with $data: true for dynamic schema validation. This issue is also fixed in version 6.14.0.","aliases":["GHSA-2g4f-4pwh-qvx6"],"modified":"2026-03-20T12:46:35.501482Z","published":"2026-02-11T19:15:50.467Z","related":["CGA-pjx7-r22p-cr2c"],"references":[{"type":"WEB","url":"https://github.com/EthanKim88/ethan-cve-disclosures/blob/main/CVE-2025-69873-ajv-ReDoS.md"},{"type":"WEB","url":"https://github.com/ajv-validator/ajv/releases/tag/v6.14.0"},{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-2g4f-4pwh-qvx6"},{"type":"FIX","url":"https://github.com/github/advisory-database/pull/6991"},{"type":"FIX","url":"https://github.com/ajv-validator/ajv/pull/2588"},{"type":"FIX","url":"https://github.com/ajv-validator/ajv/pull/2590"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/ajv-validator/ajv","events":[{"introduced":"0"},{"fixed":"142ce84b807c4fe66e619c22480a28d0e4bd50fa"},{"fixed":"e3af0a723b4b7ad86eff43be355c706d31e0e915"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"8.18.0"}]}}],"versions":["0.3.0","0.3.8","0.4.0","0.4.1","0.4.14","0.4.4","0.5.0","0.5.1","0.5.11","0.5.2","0.5.6","0.5.9","0.6.0","0.6.1","0.6.10","0.6.11","0.6.9","0.7.0","1.0.0","1.0.1","1.1.0","1.1.1","1.2.0","1.2.1","1.3.1","1.3.2","1.4.0","1.4.1","1.4.10","1.4.2","1.4.3","1.4.4","1.4.5","1.4.6","1.4.7","1.4.8","1.4.9","2.0.0","2.1.0","2.2.0","2.3.0","2.4.0","2.5.0","3.0.0","3.1.0","3.2.0","3.2.1","3.2.2","3.3.0","3.4.0","3.5.0","3.6.0","3.7.0","3.7.2","3.8.0","4.0.0","4.1.0","4.10.0","4.11.0","4.11.6","4.11.7","4.11.8","4.2.0","4.3.0","4.4.0","4.5.0","4.6.0","4.7.0","4.8.0","4.9.0","5.0.0","5.0.0-beta.0","5.0.0-beta.1","5.0.1","5.0.1-beta.0","5.0.1-beta.1","5.0.1-beta.2","5.0.1-beta.3","5.0.2-beta.0","5.0.3-beta.0","5.0.4-beta.0","5.0.4-beta.1","5.0.4-beta.3","v5.1.0","v5.1.1","v5.1.2","v5.1.3","v5.1.4","v5.1.5","v5.1.6","v5.2.0","v5.2.1","v5.2.2","v5.2.3","v5.2.4","v5.2.5","v5.3.0","v5.4.0","v5.5.0","v5.5.1","v5.5.2","v6.0.0","v6.0.0-beta.0","v6.0.0-beta.1","v6.0.0-beta.2","v6.0.0-rc.0","v6.0.0-rc.1","v6.0.1","v6.1.0","v6.1.1","v6.10.0","v6.10.1","v6.10.2","v6.11.0","v6.12.0","v6.12.1","v6.12.2","v6.12.3","v6.12.4","v6.12.5","v6.12.6","v6.2.0","v6.2.1","v6.3.0","v6.4.0","v6.5.0","v6.5.1","v6.5.2","v6.5.3","v6.5.4","v6.5.5","v6.6.0","v6.6.1","v6.6.2","v6.7.0","v6.8.0","v6.8.1","v6.9.0","v6.9.1","v6.9.2","v7.0.0","v7.0.0-alpha.0","v7.0.0-alpha.1","v7.0.0-beta.0","v7.0.0-beta.1","v7.0.0-beta.2","v7.0.0-beta.3","v7.0.0-beta.4","v7.0.0-beta.5","v7.0.0-beta.6","v7.0.0-beta.7","v7.0.0-beta.8","v7.0.0-beta.9","v7.0.0-rc.0","v7.0.0-rc.1","v7.0.0-rc.2","v7.0.0-rc.3","v7.0.0-rc.4","v7.0.0-rc.5","v7.0.1","v7.0.2","v7.0.3","v7.0.4","v7.1.0","v7.1.1","v7.2.0","v7.2.1","v7.2.2","v7.2.3","v7.2.4","v8.0.0","v8.0.0-beta.0","v8.0.0-beta.1","v8.0.0-beta.2","v8.0.0-beta.3","v8.0.0-beta.4","v8.0.1","v8.0.2","v8.0.3","v8.0.4","v8.0.5","v8.1.0","v8.10.0","v8.11.0","v8.11.1","v8.11.2","v8.12.0","v8.13.0","v8.14.0","v8.15.0","v8.16.0","v8.17.0","v8.17.1","v8.2.0","v8.3.0","v8.4.0","v8.5.0","v8.6.0","v8.6.1","v8.6.2","v8.6.3","v8.7.0","v8.7.1","v8.8.0","v8.8.1","v8.8.2","v8.9.0"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-69873.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"}]}