CVE-2025-69873

A flaw was found in ajv. When the $data option is enabled, the value of the pattern keyword is passed directly to the JavaScript RegExp constructor without sufficient validation. An attacker able to supply a malicious regular expression pattern can trigger a ReDoS Regular Expression Denial of...

Regular Expression Denial of Service (ReDoS)

Overview ajv is an Another JSON Schema Validator Affected versions of this package are vulnerable to Regular Expression Denial of Service ReDoS due to improper validation of the pattern keyword when combined with $data references. An attacker can cause the application to become unresponsive and...

CVE-2025-69873

CVE-2025-69873 affects ajv (up to v8.17.1). The pattern keyword using $data accepts runtime data and passes it to JavaScript RegExp() without validation, enabling ReDoS with crafted input (e.g., "^(a|a)*$"). This can cause significant CPU usage per request when dynamic schema validation is used. ...

Regular Expression Denial of Service (ReDoS)

Overview org.webjars.npm:ajv is an Another JSON Schema Validator Affected versions of this package are vulnerable to Regular Expression Denial of Service ReDoS due to improper validation of the pattern keyword when combined with $data references. An attacker can cause the application to become...