Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-69873

CVE-2025-69873: ajv JSON Schema Validator ReDoS Vulnerability

CVE-2025-69873 is a Regular Expression Denial of Service flaw in ajv JSON Schema Validator that allows attackers to cause complete service outages through malicious regex patterns. This article covers technical details, affected versions, impact analysis, and mitigation strategies.

Updated:

CVE-2025-69873 Overview

CVE-2025-69873 is a Regular Expression Denial of Service (ReDoS) vulnerability in ajv (Another JSON Schema Validator) versions before 8.18.0. The flaw exists when the $data option is enabled, allowing the pattern keyword to accept runtime data via JSON Pointer syntax. The supplied pattern is passed directly to the JavaScript RegExp() constructor without validation. An attacker can submit a malicious regex pattern combined with crafted input to trigger catastrophic backtracking. A single HTTP request can cause sustained CPU blocking against any API using ajv with $data: true for dynamic schema validation. The issue is also fixed in version 6.14.0.

Critical Impact

A 31-character payload causes approximately 44 seconds of CPU blocking, with each additional character doubling execution time, enabling single-request denial of service against affected APIs.

Affected Products

  • ajv (Another JSON Schema Validator) versions before 8.18.0
  • ajv 6.x branch before 6.14.0
  • Applications using ajv with the $data: true option enabled for dynamic schema validation

Discovery Timeline

  • 2026-02-11 - CVE-2025-69873 published to NVD
  • 2026-04-15 - Last updated in NVD database

Technical Details for CVE-2025-69873

Vulnerability Analysis

The vulnerability is classified under [CWE-1333] (Inefficient Regular Expression Complexity) and [CWE-400] (Uncontrolled Resource Consumption). The flaw allows an attacker to supply both the regular expression and the input string evaluated against it. When combined with backtracking-prone patterns, the JavaScript engine performs exponential work on each input character.

The attack relies on a classic evil regex such as ^(a|a)*$. Each additional matching character roughly doubles the execution time, so payloads grow lethal quickly. A 31-character input produces about 44 seconds of CPU blocking on a single thread. Node.js runs JavaScript on a single event loop, so blocking the thread halts all concurrent requests on that worker.

Root Cause

The root cause is missing validation on user-controllable regex patterns received through $data references. The pattern keyword in JSON Schema is intended to validate strings against a fixed pattern defined by the schema author. With $data: true, ajv resolves the pattern at runtime from a JSON Pointer that may reference attacker-controlled data. The resolved value is handed to new RegExp() without sanitization or complexity analysis, making backtracking attacks trivial to deliver.

Attack Vector

An attacker submits a JSON document to an API endpoint that validates input with ajv using $data: true. The document contains a JSON property that the schema treats as the pattern source, plus a target string crafted to force exponential backtracking. The validator compiles the supplied regex and applies it to the crafted string, consuming CPU until the match completes. While CVSS classifies the attack vector as local with high complexity and limited availability impact, real-world exposure depends on whether the schema design exposes $data-driven pattern evaluation to remote input. The vulnerability manifests in the pattern keyword handling logic; see the GitHub CVE-2025-69873 Disclosure and GitHub Security Advisory GHSA-2g4f-4pwh-qvx6 for technical details.

Detection Methods for CVE-2025-69873

Indicators of Compromise

  • Sustained 100% CPU utilization on Node.js worker processes following a single API request
  • Event loop blocking, request timeouts, and dropped health checks on services using ajv
  • Inbound JSON payloads containing regex metacharacter clusters such as (a|a)*, (a+)+, or (.*)* in fields referenced by a $data pattern

Detection Strategies

  • Inventory dependencies for ajv versions earlier than 8.18.0 (and earlier than 6.14.0 on the 6.x line) using software composition analysis or npm ls ajv
  • Audit JSON Schemas in the codebase for $data: true combined with the pattern keyword, and flag any schema where pattern resolves from untrusted input
  • Correlate API request logs with CPU spikes and event loop lag metrics to identify ReDoS triggers

Monitoring Recommendations

  • Track event loop lag and per-request CPU time on Node.js services and alert on outliers exceeding normal validation latency
  • Log and sample JSON request bodies to inspect for adversarial regex fragments in fields used as dynamic patterns
  • Monitor Web Application Firewall (WAF) telemetry for payloads matching common evil regex signatures targeting JSON APIs

How to Mitigate CVE-2025-69873

Immediate Actions Required

  • Upgrade ajv to version 8.18.0 or later, or to 6.14.0 on the 6.x branch
  • Disable the $data option in schemas that do not require runtime references
  • Review all schemas for pattern keywords whose values can be controlled by request data, and remove or constrain them

Patch Information

The fix is shipped in ajv 8.18.0 and back-ported to 6.14.0. The relevant changes are tracked in GitHub AJV Pull Request #2588 and GitHub AJV Pull Request #2590. Release notes are available at GitHub AJV Release v6.14.0. The GitHub Advisory Database entry is tracked in Pull Request #6991.

Workarounds

  • Set $data: false (or omit the option) in ajv configuration to prevent runtime resolution of patterns from request data
  • Wrap validation calls in a worker thread or impose a per-request CPU time budget so a single payload cannot block the main event loop
  • Pre-validate inbound regex strings against a length limit and a deny-list of backtracking-prone constructs before they reach the validator
bash
# Configuration example
npm install ajv@^8.18.0
# or, for the 6.x branch:
npm install ajv@^6.14.0

# Verify installed version
npm ls ajv

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.