ajv (Another JSON Schema Validator) before 8.18.0 is vulnerable to Regular Expression Denial of Service (ReDoS) when the $data option is enabled. The pattern keyword accepts runtime data via JSON Pointer syntax ($data reference), which is passed directly to the JavaScript RegExp() constructor without validation. An attacker can inject a malicious regex pattern (e.g., "^(a|a)*$") combined with crafted input to cause catastrophic backtracking. A 31-character payload causes approximately 44 seconds of CPU blocking, with each additional character doubling execution time. This enables complete denial of service with a single HTTP request against any API using ajv with $data: true for dynamic schema validation.

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00069.

Exploitation poc

Automatable yes

Technical Impact partial

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions
ajv.js ajv unaffected
Version Status Constraints
0 affected < 6.14.0
7.0.0 affected < 8.18.0

No data.

No data.

OpenCVE Enrichment is a feature of OpenCVE that uses AI to automatically link vendors and products to CVEs. Learn more on GitHub.

Vendors Products
Ajv-validator Subscribe
Ajv Subscribe

Project Subscriptions

Vendors Products
Ajv-validator Subscribe
Ajv Subscribe
Ajv.js Subscribe
Ajv Subscribe
Advisories
Source ID Title
Github GHSA Github GHSA GHSA-2g4f-4pwh-qvx6 ajv has ReDoS when using `$data` option
Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References
Link Providers
https://github.com/EthanKim88/ethan-cve-disclosures/blob/main/CVE-2025-69873-ajv-ReDoS.md cve-icon cve-icon cve-icon
https://github.com/advisories/GHSA-2g4f-4pwh-qvx6 cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2025-69873 cve-icon
https://www.cve.org/CVERecord?id=CVE-2025-69873 cve-icon
History

Mon, 23 Feb 2026 09:15:00 +0000

Type Values Removed Values Added
Description ajv (Another JSON Schema Validator) through version 8.17.1 is vulnerable to Regular Expression Denial of Service (ReDoS) when the $data option is enabled. The pattern keyword accepts runtime data via JSON Pointer syntax ($data reference), which is passed directly to the JavaScript RegExp() constructor without validation. An attacker can inject a malicious regex pattern (e.g., "^(a|a)*$") combined with crafted input to cause catastrophic backtracking. A 31-character payload causes approximately 44 seconds of CPU blocking, with each additional character doubling execution time. This enables complete denial of service with a single HTTP request against any API using ajv with $data: true for dynamic schema validation. ajv (Another JSON Schema Validator) before 8.18.0 is vulnerable to Regular Expression Denial of Service (ReDoS) when the $data option is enabled. The pattern keyword accepts runtime data via JSON Pointer syntax ($data reference), which is passed directly to the JavaScript RegExp() constructor without validation. An attacker can inject a malicious regex pattern (e.g., "^(a|a)*$") combined with crafted input to cause catastrophic backtracking. A 31-character payload causes approximately 44 seconds of CPU blocking, with each additional character doubling execution time. This enables complete denial of service with a single HTTP request against any API using ajv with $data: true for dynamic schema validation.
References

Mon, 23 Feb 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Ajv.js
Ajv.js ajv
CPEs cpe:2.3:a:ajv.js:ajv:*:*:*:*:*:*:*:*
Vendors & Products Ajv.js
Ajv.js ajv
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

 cvssV3_1

{'score': 2.9, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Tue, 17 Feb 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Ajv-validator
Ajv-validator ajv
Vendors & Products Ajv-validator
Ajv-validator ajv

Fri, 13 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
Title ajv: ReDoS via $data reference
Weaknesses CWE-1333
References
Metrics threat_severity

None

 threat_severity

Important

Thu, 12 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-400
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 11 Feb 2026 18:45:00 +0000

Type Values Removed Values Added
Description ajv (Another JSON Schema Validator) through version 8.17.1 is vulnerable to Regular Expression Denial of Service (ReDoS) when the $data option is enabled. The pattern keyword accepts runtime data via JSON Pointer syntax ($data reference), which is passed directly to the JavaScript RegExp() constructor without validation. An attacker can inject a malicious regex pattern (e.g., "^(a|a)*$") combined with crafted input to cause catastrophic backtracking. A 31-character payload causes approximately 44 seconds of CPU blocking, with each additional character doubling execution time. This enables complete denial of service with a single HTTP request against any API using ajv with $data: true for dynamic schema validation.
References

Projects

Sign in to view the affected projects.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-02-23T08:44:33.500Z

Reserved: 2026-01-09T00:00:00.000Z

Link: CVE-2025-69873

cve-icon Vulnrichment

Updated: 2026-02-12T15:14:20.520Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-02-11T19:15:50.467

Modified: 2026-02-23T09:16:30.100

Link: CVE-2025-69873

cve-icon Redhat

Severity : Important

Publid Date: 2026-02-11T00:00:00Z

Links: CVE-2025-69873 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-02-17T08:50:14Z

Weaknesses