CVE-2025-69873 Overview
A Regular Expression Denial of Service (ReDoS) vulnerability exists in ajv (Another JSON Schema Validator) through version 8.17.1 when the $data option is enabled. The vulnerability allows attackers to inject malicious regex patterns that cause catastrophic backtracking, resulting in complete denial of service with a single HTTP request against any API using ajv with $data: true for dynamic schema validation.
Critical Impact
A 31-character payload causes approximately 44 seconds of CPU blocking, with each additional character doubling execution time. This enables complete denial of service with minimal attacker effort.
Affected Products
- ajv (Another JSON Schema Validator) through version 8.17.1
- Applications using ajv with $data: true configuration
- APIs performing dynamic schema validation with runtime data
Discovery Timeline
- 2026-02-11 - CVE-2025-69873 published to NVD
- 2026-02-12 - Last updated in NVD database
Technical Details for CVE-2025-69873
Vulnerability Analysis
This vulnerability exploits a fundamental flaw in how ajv handles the pattern keyword when the $data option is enabled. The pattern keyword accepts runtime data via JSON Pointer syntax ($data reference), which is passed directly to the JavaScript RegExp() constructor without any validation or sanitization.
The lack of input validation enables attackers to supply malicious regular expressions that exhibit exponential time complexity during matching operations. This is classified as CWE-400 (Uncontrolled Resource Consumption), as the vulnerable code path allows unbounded CPU consumption through carefully crafted inputs.
Root Cause
The root cause lies in the direct passthrough of user-controlled data to the RegExp() constructor. When ajv is configured with $data: true, the library allows schemas to reference runtime values using JSON Pointer notation. The pattern keyword implementation accepts these dynamic values and constructs regular expressions without validating whether the pattern could cause catastrophic backtracking.
Patterns like ^(a|a)*$ contain nested quantifiers that create exponential state space during regex matching. When combined with crafted input strings, the JavaScript regex engine enters a backtracking spiral that consumes CPU resources proportional to 2^n where n is the input length.
Attack Vector
The attack is network-accessible and requires no authentication or user interaction. An attacker can craft a malicious JSON payload containing:
- A schema with a $data reference in the pattern field pointing to attacker-controlled data
- A regex pattern designed for catastrophic backtracking (e.g., ^(a|a)*$)
- Input data crafted to maximize backtracking iterations
The vulnerability manifests when the attacker submits a JSON request to any API endpoint that performs dynamic schema validation using ajv with $data enabled. A single HTTP request containing a 31-character payload can block CPU execution for approximately 44 seconds, and each additional character doubles the processing time exponentially. For detailed technical information, see the GitHub CVE-2025-69873 Disclosure.
Detection Methods for CVE-2025-69873
Indicators of Compromise
- Abnormally high CPU utilization on servers running Node.js applications with ajv
- HTTP requests containing regex metacharacters in JSON payloads (e.g., ^, $, *, +, |)
- Request timeouts or application unresponsiveness following specific API calls
- Repeated patterns like (a|a)* or (a+)+ in request bodies
Detection Strategies
- Monitor application response times for sudden degradation patterns indicating ReDoS attacks
- Implement request body inspection rules to detect common ReDoS patterns in JSON payloads
- Deploy SentinelOne Singularity Platform to identify and alert on CPU exhaustion patterns characteristic of ReDoS exploitation
- Configure web application firewalls to flag requests containing nested quantifiers in string fields
Monitoring Recommendations
- Set up CPU utilization alerts with thresholds appropriate for detecting sustained high-load events
- Implement request timeout monitoring to identify endpoints experiencing unusual delays
- Enable detailed logging for ajv validation operations to capture suspicious schema patterns
- Deploy SentinelOne's behavioral AI to detect anomalous resource consumption patterns in real-time
How to Mitigate CVE-2025-69873
Immediate Actions Required
- Audit all applications using ajv to identify instances where $data: true is configured
- Disable the $data option if dynamic pattern validation is not strictly required
- Implement request timeout limits at the application and infrastructure levels
- Deploy rate limiting to reduce the impact of repeated DoS attempts
Patch Information
At the time of publication, review the GitHub CVE-2025-69873 Disclosure for the latest patch status and remediation guidance. Monitor the official ajv repository for security updates addressing this vulnerability.
Workarounds
- Disable the $data option in ajv configuration if runtime schema references are not required
- Implement a validation layer to sanitize or reject regex patterns before they reach ajv
- Set strict request timeouts at the reverse proxy or load balancer level to terminate long-running requests
- Consider using regex analysis libraries to detect potentially malicious patterns before validation
# Configuration example - Disable $data option in ajv initialization
# In your Node.js application configuration:
# const ajv = new Ajv({ $data: false });
# Nginx timeout configuration to limit request processing time
location /api/ {
proxy_read_timeout 5s;
proxy_connect_timeout 5s;
proxy_send_timeout 5s;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
