CVE-2025-69873: ajv (Another JSON Schema Validator) before 8.18.0 is vulnerable to Regular Expression Denial of Service (ReDoS) when the $data option is enabled. The pattern keyword accepts runtime data via JSON Pointer syntax ($data reference), which is passed directly to the JavaScript RegExp() constructor without validation. An attacker can inject a malicious regex pattern (e.g., "^(a|a)*

quot;) combined with crafted input to cause catastrophic backtracking. A 31-character payload causes approximately 44 seconds of CPU blocking, with each additional character doubling execution time. This enables complete denial of service with a single HTTP request against any API using ajv with $data: true for dynamic schema validation.

Overview

Severity

Low (CVSS 2.9)

CVSS Vector

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

Exploit Status

Not Exploited

Patch Tuesday

2026-Feb

Released

2026-02-27

Last Updated

2026-03-03

EPSS Score

0.02% (percentile: 5.0%)

Affected Products (2)

Other

• 19712-17086
• 19693-17084

Revision History

• 2026-02-27: Information published.
• 2026-02-28: Information published.
• 2026-03-03: Information published.