CVE-2025-69873

EPSS 0.06%
Veröffentlicht 11.02.2026 00:00:00
Zuletzt bearbeitet 02.03.2026 21:16:24
Quelle cve@mitre.org
CVE-Watchlists
Login
Unerledigt
Login

ajv (Another JSON Schema Validator) before 8.18.0 is vulnerable to Regular Expression Denial of Service (ReDoS) when the $data option is enabled. The pattern keyword accepts runtime data via JSON Pointer syntax ($data reference), which is passed directly to the JavaScript RegExp() constructor without validation. An attacker can inject a malicious regex pattern (e.g., "^(a|a)*$") combined with crafted input to cause catastrophic backtracking. A 31-character payload causes approximately 44 seconds of CPU blocking, with each additional character doubling execution time. This enables complete denial of service with a single HTTP request against any API using ajv with $data: true for dynamic schema validation. This issue is also fixed in version 6.14.0.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 2 Referenzen 9

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

Herstellerajv.js

≫

Produkt ajv

Default Statusunaffected

Version < 6.14.0

Version 0

Status affected

Version < 8.17.2

Version 7.0.0

Status affected

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.06%	0.169

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
cve@mitre.org	2.9	1.4	1.4	CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
134c704f-9b21-4f2e-91b3-4a467353bcc0	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-1333 Inefficient Regular Expression Complexity

The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.

CWE-400 Uncontrolled Resource Consumption

The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

https://github.com/EthanKim88/ethan-cve-disclosures/blob/main/CVE-2025-69873-ajv-ReDoS.md

https://github.com/advisories/GHSA-2g4f-4pwh-qvx6

https://github.com/ajv-validator/ajv/pull/2588

https://github.com/ajv-validator/ajv/pull/2590

https://github.com/ajv-validator/ajv/releases/tag/v6.14.0

https://github.com/github/advisory-database/pull/6991

https://nvd.nist.gov/vuln/detail/CVE-2025-69873

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-69873

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-69873

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2025-69873