CVE-2025-69873: ajv (Another JSON Schema Validator) before 8.18.0 is vulnerable to Regular Expression Denial of Service (ReDoS) when the $data option is enabled. The pattern keyword accepts runtime data via JSON Pointer syntax ($data reference), which is passed directly to the JavaScript RegExp() constructor without validation. An attacker can inject a malicious regex pattern (e.g., "^(a|a)*

quot;) combined with crafted input to cause catastrophic backtracking. A 31-character payload causes approximately 44 seconds of CPU blocking, with each additional character doubling execution time. This enables complete denial of service with a single HTTP request against any API using ajv with $data: true for dynamic schema validation.

Overview

Severity

Low (CVSS 2.9)

CVSS Vector

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

Exploit Status

Not Exploited

Patch Tuesday

2026-Feb

Released

2026-02-27

EPSS Score

0.07% (percentile: 21.2%)

Affected Products (2)

Open Source Software

• cbl2 python-tensorboard 2.11.0-3 on CBL Mariner 2.0
• azl3 python-tensorboard 2.16.2-6 on Azure Linux 3.0

Revision History

• 2026-02-27: Information published.