CVE-2025-69873
ReDoS Vulnerability in ajv $data Option Causes DoS
Publication date: 2026-02-11
Last updated on: 2026-03-02
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ajv | ajv | 8.17.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1333 | The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles. |
| CWE-400 | The product does not properly control the allocation and maintenance of a limited resource. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability exists in ajv (Another JSON Schema Validator) through version 8.17.1 when the $data option is enabled. The pattern keyword accepts runtime data via JSON Pointer syntax ($data reference), which is passed directly to the JavaScript RegExp() constructor without validation.
An attacker can inject a malicious regular expression pattern combined with crafted input to cause catastrophic backtracking, leading to a Regular Expression Denial of Service (ReDoS). For example, a 31-character payload can cause approximately 44 seconds of CPU blocking, and each additional character doubles the execution time.
This allows an attacker to cause a complete denial of service with a single HTTP request against any API using ajv with $data: true for dynamic schema validation.
How can this vulnerability impact me? :
This vulnerability can cause a denial of service condition by making the CPU spend excessive time processing maliciously crafted regular expressions.
An attacker can send a single HTTP request with a malicious payload that triggers catastrophic backtracking in the regex engine, resulting in significant CPU blocking and making the affected service unresponsive.
This can disrupt availability of APIs or services that rely on ajv with the $data option enabled for dynamic schema validation.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves identifying if the ajv library is used with the $data option enabled for dynamic schema validation, especially in APIs processing JSON schemas.
Since the vulnerability is triggered by malicious regex patterns causing ReDoS, monitoring for unusually high CPU usage or long response times on API endpoints using ajv with $data: true can be an indicator.
Specific commands to detect this vulnerability are not provided in the available resources.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include disabling the $data option in ajv if it is not strictly necessary, as this option allows unvalidated regex patterns that lead to ReDoS.
If disabling $data is not possible, carefully validate or sanitize any runtime data used in regex patterns before passing them to ajv.
Additionally, monitor and limit resource usage on affected systems to reduce the impact of potential ReDoS attacks.