CVE-2025-69873
Awaiting Analysis Awaiting Analysis - Queue
ReDoS Vulnerability in ajv $data Option Causes DoS

Publication date: 2026-02-11

Last updated on: 2026-03-02

Assigner: MITRE

Description
ajv (Another JSON Schema Validator) before 8.18.0 is vulnerable to Regular Expression Denial of Service (ReDoS) when the $data option is enabled. The pattern keyword accepts runtime data via JSON Pointer syntax ($data reference), which is passed directly to the JavaScript RegExp() constructor without validation. An attacker can inject a malicious regex pattern (e.g., "^(a|a)*$") combined with crafted input to cause catastrophic backtracking. A 31-character payload causes approximately 44 seconds of CPU blocking, with each additional character doubling execution time. This enables complete denial of service with a single HTTP request against any API using ajv with $data: true for dynamic schema validation. This issue is also fixed in version 6.14.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-11
Last Modified
2026-03-02
Generated
2026-06-16
AI Q&A
2026-02-11
EPSS Evaluated
2026-06-15
NVD
CVE-2025-69873
EUVD
EUVD-2025-207389
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
ajv ajv 8.17.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
CWE-1333 The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in ajv (Another JSON Schema Validator) through version 8.17.1 when the $data option is enabled. The pattern keyword accepts runtime data via JSON Pointer syntax ($data reference), which is passed directly to the JavaScript RegExp() constructor without validation.

An attacker can inject a malicious regular expression pattern combined with crafted input to cause catastrophic backtracking, leading to a Regular Expression Denial of Service (ReDoS). For example, a 31-character payload can cause approximately 44 seconds of CPU blocking, and each additional character doubles the execution time.

This allows an attacker to cause a complete denial of service with a single HTTP request against any API using ajv with $data: true for dynamic schema validation.

Impact Analysis

This vulnerability can cause a denial of service condition by making the CPU spend excessive time processing maliciously crafted regular expressions.

An attacker can send a single HTTP request with a malicious payload that triggers catastrophic backtracking in the regex engine, resulting in significant CPU blocking and making the affected service unresponsive.

This can disrupt availability of APIs or services that rely on ajv with the $data option enabled for dynamic schema validation.

Compliance Impact

I don't know

Detection Guidance

Detection of this vulnerability involves identifying if the ajv library is used with the $data option enabled for dynamic schema validation, especially in APIs processing JSON schemas.

Since the vulnerability is triggered by malicious regex patterns causing ReDoS, monitoring for unusually high CPU usage or long response times on API endpoints using ajv with $data: true can be an indicator.

Specific commands to detect this vulnerability are not provided in the available resources.

Mitigation Strategies

Immediate mitigation steps include disabling the $data option in ajv if it is not strictly necessary, as this option allows unvalidated regex patterns that lead to ReDoS.

If disabling $data is not possible, carefully validate or sanitize any runtime data used in regex patterns before passing them to ajv.

Additionally, monitor and limit resource usage on affected systems to reduce the impact of potential ReDoS attacks.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-69873. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart