PatchSiren cyber security CVE debrief
CVE-2025-69873 ajv.js CVE debrief
The CVE-2025-69873 vulnerability affects the ajv (Another JSON Schema Validator) library before version 8.18.0. This vulnerability is related to a Regular Expression Denial of Service (ReDoS) issue when the $data option is enabled. The pattern keyword in ajv accepts runtime data via JSON Pointer syntax ($data reference), which is passed directly to the JavaScript RegExp() constructor without validation. An attacker can inject a malicious regex pattern combined with crafted input to cause catastrophic backtracking, leading to a denial of service. For instance, a 31-character payload causes approximately 44 seconds of CPU blocking, with each additional character doubling execution time. This enables complete denial of service with a single HTTP request against any API using ajv with $data: true for dynamic schema validation. The issue is also fixed in version 6.14.0.
- Vendor
- ajv.js
- Product
- ajv
- CVSS
- LOW 2.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-02-11
- Original CVE updated
- 2026-06-30
- Advisory published
- 2026-02-11
- Advisory updated
- 2026-06-30
Who should care
Developers and administrators using the ajv library in their applications, especially those using versions before 8.18.0, should be aware of this vulnerability. Given the CVSS score of 2.9 and a LOW severity, while the impact is relatively low, it's still crucial for those in the affected scope to take necessary actions to mitigate the risk. This includes updating to a secure version of ajv and implementing additional monitoring and protective measures.
Technical summary
The CVE-2025-69873 vulnerability is a Regular Expression Denial of Service (ReDoS) issue in the ajv library. This occurs when the $data option is enabled, allowing an attacker to inject malicious regex patterns that cause catastrophic backtracking when processed. The vulnerability is particularly concerning because it can be exploited with a single HTTP request, leading to a complete denial of service in APIs that use ajv for dynamic schema validation with $data: true. The vulnerability has been addressed in ajv version 8.18.0 and also in version 6.14.0.
Defensive priority
Given the LOW CVSS score of 2.9, the priority is relatively low but still important, especially for applications directly affected by this vulnerability. Immediate action is recommended for systems using vulnerable versions of ajv, focusing on updating to a secure version.
Recommended defensive actions
- Update ajv to version 8.18.0 or later.
- For systems unable to update to 8.18.0, consider updating to version 6.14.0.
- Implement additional monitoring to detect potential exploitation attempts.
- Review and adjust API security measures to mitigate the impact of denial-of-service attacks.
- Consider temporarily disabling the $data option if an immediate update is not feasible.
Evidence notes
The CVE-2025-69873 vulnerability details were obtained from various sources, including the NVD and CVE records. The vulnerability affects ajv versions before 8.18.0 and is fixed in version 6.14.0 and 8.18.0. The CVSS score is 2.9, indicating a LOW severity. However, the potential for denial of service makes it important for affected parties to take action.
Official resources
-
CVE-2025-69873 CVE record
CVE.org
-
CVE-2025-69873 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
- Source reference
- Source reference
- Source reference
- Source reference
- Source reference
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
This article is AI-assisted and based on the supplied source corpus.