CVE-2025-69873 Overview
CVE-2025-69873 is a Regular Expression Denial of Service (ReDoS) vulnerability in ajv (Another JSON Schema Validator) versions before 8.18.0. The flaw exists when the $data option is enabled, allowing the pattern keyword to accept runtime data via JSON Pointer syntax. The supplied pattern is passed directly to the JavaScript RegExp() constructor without validation. An attacker can submit a malicious regex pattern combined with crafted input to trigger catastrophic backtracking. A single HTTP request can cause sustained CPU blocking against any API using ajv with $data: true for dynamic schema validation. The issue is also fixed in version 6.14.0.
Critical Impact
A 31-character payload causes approximately 44 seconds of CPU blocking, with each additional character doubling execution time, enabling single-request denial of service against affected APIs.
Affected Products
- ajv (Another JSON Schema Validator) versions before 8.18.0
- ajv 6.x branch before 6.14.0
- Applications using ajv with the $data: true option enabled for dynamic schema validation
Discovery Timeline
- 2026-02-11 - CVE-2025-69873 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-69873
Vulnerability Analysis
The vulnerability is classified under [CWE-1333] (Inefficient Regular Expression Complexity) and [CWE-400] (Uncontrolled Resource Consumption). The flaw allows an attacker to supply both the regular expression and the input string evaluated against it. When combined with backtracking-prone patterns, the JavaScript engine performs exponential work on each input character.
The attack relies on a classic evil regex such as ^(a|a)*$. Each additional matching character roughly doubles the execution time, so payloads grow lethal quickly. A 31-character input produces about 44 seconds of CPU blocking on a single thread. Node.js runs JavaScript on a single event loop, so blocking the thread halts all concurrent requests on that worker.
Root Cause
The root cause is missing validation on user-controllable regex patterns received through $data references. The pattern keyword in JSON Schema is intended to validate strings against a fixed pattern defined by the schema author. With $data: true, ajv resolves the pattern at runtime from a JSON Pointer that may reference attacker-controlled data. The resolved value is handed to new RegExp() without sanitization or complexity analysis, making backtracking attacks trivial to deliver.
Attack Vector
An attacker submits a JSON document to an API endpoint that validates input with ajv using $data: true. The document contains a JSON property that the schema treats as the pattern source, plus a target string crafted to force exponential backtracking. The validator compiles the supplied regex and applies it to the crafted string, consuming CPU until the match completes. While CVSS classifies the attack vector as local with high complexity and limited availability impact, real-world exposure depends on whether the schema design exposes $data-driven pattern evaluation to remote input. The vulnerability manifests in the pattern keyword handling logic; see the GitHub CVE-2025-69873 Disclosure and GitHub Security Advisory GHSA-2g4f-4pwh-qvx6 for technical details.
Detection Methods for CVE-2025-69873
Indicators of Compromise
- Sustained 100% CPU utilization on Node.js worker processes following a single API request
- Event loop blocking, request timeouts, and dropped health checks on services using ajv
- Inbound JSON payloads containing regex metacharacter clusters such as (a|a)*, (a+)+, or (.*)* in fields referenced by a $data pattern
Detection Strategies
- Inventory dependencies for ajv versions earlier than 8.18.0 (and earlier than 6.14.0 on the 6.x line) using software composition analysis or npm ls ajv
- Audit JSON Schemas in the codebase for $data: true combined with the pattern keyword, and flag any schema where pattern resolves from untrusted input
- Correlate API request logs with CPU spikes and event loop lag metrics to identify ReDoS triggers
Monitoring Recommendations
- Track event loop lag and per-request CPU time on Node.js services and alert on outliers exceeding normal validation latency
- Log and sample JSON request bodies to inspect for adversarial regex fragments in fields used as dynamic patterns
- Monitor Web Application Firewall (WAF) telemetry for payloads matching common evil regex signatures targeting JSON APIs
How to Mitigate CVE-2025-69873
Immediate Actions Required
- Upgrade ajv to version 8.18.0 or later, or to 6.14.0 on the 6.x branch
- Disable the $data option in schemas that do not require runtime references
- Review all schemas for pattern keywords whose values can be controlled by request data, and remove or constrain them
Patch Information
The fix is shipped in ajv 8.18.0 and back-ported to 6.14.0. The relevant changes are tracked in GitHub AJV Pull Request #2588 and GitHub AJV Pull Request #2590. Release notes are available at GitHub AJV Release v6.14.0. The GitHub Advisory Database entry is tracked in Pull Request #6991.
Workarounds
- Set $data: false (or omit the option) in ajv configuration to prevent runtime resolution of patterns from request data
- Wrap validation calls in a worker thread or impose a per-request CPU time budget so a single payload cannot block the main event loop
- Pre-validate inbound regex strings against a length limit and a deny-list of backtracking-prone constructs before they reach the validator
# Configuration example
npm install ajv@^8.18.0
# or, for the 6.x branch:
npm install ajv@^6.14.0
# Verify installed version
npm ls ajv
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

