Bug 2439070 (CVE-2025-69873)

Summary: CVE-2025-69873 ajv: ReDoS via $data reference
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: aazores, abrianik, abuckta, adudiak, akostadi, alcohan, amasferr, anjoseph, anthomas, aschwart, asoldano, ataylor, bbaranow, bbrownin, bdettelb, bmaxwell, boliveir, brian.stansberry, bsmejkal, bstansbe, caswilli, chfoley, cmah, darran.lofthouse, dbruscin, dhanak, dkuc, dlofthou, dmayorov, doconnor, dosoudil, drosa, dschmidt, eaguilar, ebaron, ehelms, erezende, eric.wittmann, ewittman, ggainey, ggrzybek, gmalinko, gparvin, ibek, istudens, ivassile, iweiss, jachapma, janstey, jbalunas, jcantril, jkoehler, jlanda, jlledo, jolong, jprabhak, jrokos, jscholz, juwatts, jwong, kaycoth, kshier, kvanderr, kverlaen, lchilton, lphiri, manissin, mattdavi, mhulan, mnovotny, mosmerov, mposolda, mstipich, msvehla, nipatil, nmoumoul, nwallace, omaciel, orabin, osousa, pahickey, pantinor, parichar, pberan, pbizzarr, pcreech, pdelbell, pesilva, pjindal, pmackay, progier, rchan, rexwhite, rgodfrey, rhaigner, rkubis, rmartinc, rojacob, rstancel, rstepani, sausingh, sdawley, sfeifer, simaishi, smaestri, smallamp, smcdonal, snegrini, spichugi, ssidhaye, ssilvert, stcannon, sthirugn, sthorger, swoodman, tasato, tbordaz, teagle, thjenkin, tmalecek, tom.jenkinson, tsedmik, ttakamiy, vashirov, vdosoudi, vmuzikar, wtam, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in ajv. When the $data option is enabled, the value of the pattern keyword is passed directly to the JavaScript RegExp() constructor without sufficient validation. An attacker able to supply a malicious regular expression pattern can trigger a ReDoS (Regular Expression Denial of Service), causing the application to become unresponsive and resulting in a denial of service.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2439357, 2439362, 2439363, 2439366, 2439369, 2439372, 2439374, 2439376, 2439379, 2439380, 2439381, 2439383, 2439384, 2439389, 2439392, 2439394, 2439397, 2439398, 2439399, 2439401, 2439402, 2439403, 2439408, 2439409, 2439412, 2439358, 2439359, 2439360, 2439361, 2439364, 2439365, 2439367, 2439368, 2439370, 2439371, 2439373, 2439375, 2439377, 2439378, 2439382, 2439385, 2439386, 2439387, 2439388, 2439390, 2439391, 2439393, 2439395, 2439396, 2439400, 2439404, 2439405, 2439406, 2439407, 2439410, 2439411    
Bug Blocks:    

Description OSIDB Bzimport 2026-02-11 19:01:55 UTC 
ajv (Another JSON Schema Validator) through version 8.17.1 is vulnerable to Regular Expression Denial of Service (ReDoS) when the $data option is enabled. The pattern keyword accepts runtime data via JSON Pointer syntax ($data reference), which is passed directly to the JavaScript RegExp() constructor without validation. An attacker can inject a malicious regex pattern (e.g., "^(a|a)*$") combined with crafted input to cause catastrophic backtracking. A 31-character payload causes approximately 44 seconds of CPU blocking, with each additional character doubling execution time. This enables complete denial of service with a single HTTP request against any API using ajv with $data: true for dynamic schema validation.