Bug 2439070 (CVE-2025-69873) - CVE-2025-69873 ajv: ReDoS via $data reference
Summary: CVE-2025-69873 ajv: ReDoS via $data reference
Keywords:
Status: NEW
Alias: CVE-2025-69873
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2439357 2439362 2439363 2439366 2439369 2439372 2439374 2439376 2439379 2439380 2439381 2439383 2439384 2439389 2439392 2439394 2439397 2439398 2439399 2439401 2439402 2439403 2439408 2439409 2439412 2439358 2439359 2439360 2439361 2439364 2439365 2439367 2439368 2439370 2439371 2439373 2439375 2439377 2439378 2439382 2439385 2439386 2439387 2439388 2439390 2439391 2439393 2439395 2439396 2439400 2439404 2439405 2439406 2439407 2439410 2439411
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-02-11 19:01 UTC by OSIDB Bzimport
Modified: 2026-03-12 13:46 UTC (History)
123 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-02-11 19:01:55 UTC 
ajv (Another JSON Schema Validator) through version 8.17.1 is vulnerable to Regular Expression Denial of Service (ReDoS) when the $data option is enabled. The pattern keyword accepts runtime data via JSON Pointer syntax ($data reference), which is passed directly to the JavaScript RegExp() constructor without validation. An attacker can inject a malicious regex pattern (e.g., "^(a|a)*$") combined with crafted input to cause catastrophic backtracking. A 31-character payload causes approximately 44 seconds of CPU blocking, with each additional character doubling execution time. This enables complete denial of service with a single HTTP request against any API using ajv with $data: true for dynamic schema validation.
Note You need to log in before you can comment on or make changes to this bug.