CVE-2025-69873 - Vulnerability Details

ajv (Another JSON Schema Validator) through version 8.17.1 is vulnerable to Regular Expression Denial of Service (ReDoS) when the $data option is enabled. The pattern keyword accepts runtime data via JSON Pointer syntax ($data reference), which is passed directly to the JavaScript RegExp() constructor without validation. An attacker can inject a malicious regex pattern (e.g., "^(a|a)*$") combined with crafted input to cause catastrophic backtracking. A 31-character payload causes approximately 44 seconds of CPU blocking, with each additional character doubling execution time. This enables complete denial of service with a single HTTP request against any API using ajv with $data: true for dynamic schema validation.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation poc

Automatable yes

Technical Impact partial

No data.

References

Link	Providers
https://github.com/EthanKim88/ethan-cve-disclosures/blob/main/CVE-2025-69873-ajv-ReDoS.md
https://nvd.nist.gov/vuln/detail/CVE-2025-69873
https://www.cve.org/CVERecord?id=CVE-2025-69873

History

Fri, 13 Feb 2026 00:15:00 +0000

Type	Values Removed	Values Added
Title		ajv: ReDoS via $data reference
Weaknesses		CWE-1333
References		https://nvd.nist.gov/vuln/detail/CVE-2025-69873 https://www.cve.org/CVERecord?id=CVE-2025-69873
Metrics	threat_severity `None`	threat_severity `Important`

Thu, 12 Feb 2026 16:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-400
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}` ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 11 Feb 2026 18:45:00 +0000

Type	Values Removed	Values Added
Description		ajv (Another JSON Schema Validator) through version 8.17.1 is vulnerable to Regular Expression Denial of Service (ReDoS) when the $data option is enabled. The pattern keyword accepts runtime data via JSON Pointer syntax ($data reference), which is passed directly to the JavaScript RegExp() constructor without validation. An attacker can inject a malicious regex pattern (e.g., "^(a\|a)*$") combined with crafted input to cause catastrophic backtracking. A 31-character payload causes approximately 44 seconds of CPU blocking, with each additional character doubling execution time. This enables complete denial of service with a single HTTP request against any API using ajv with $data: true for dynamic schema validation.
References		https://github.com/EthanKim88/ethan-cve-disclosures/blob/main/CVE-2025-69873-ajv-ReDoS.md

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2026-02-11T00:00:00.000Z

Updated: 2026-02-12T15:14:29.656Z

Reserved: 2026-01-09T00:00:00.000Z

Link: CVE-2025-69873

Vulnrichment

Updated: 2026-02-12T15:14:20.520Z

NVD

Status : Awaiting Analysis

Published: 2026-02-11T19:15:50.467

Modified: 2026-02-12T16:16:05.583

Link: CVE-2025-69873

Redhat

Severity : Important

Publid Date: 2026-02-11T00:00:00Z

Links: CVE-2025-69873 - Bugzilla

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation poc

Automatable yes

Technical Impact partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object