[From nobody Mon Apr 6 10:53:06 2026 Received: (at submit) by bugs.debian.org; 16 Feb 2026 01:17:11 +0000 X-Spam-Checker-Version: SpamAssassin 4.0.1-bugs.debian.org_2005_01_02 (2024-03-25) on buxtehude.debian.org X-Spam-Level: X-Spam-Status: No, score=-16.0 required=4.0 tests=BAYES_00, BODY_INCLUDES_PACKAGE,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU, DKIM_VALID_EF,HAS_PACKAGE,MD5_SHA1_SUM,RCVD_IN_DNSWL_LOW,SPF_HELO_PASS, SPF_PASS autolearn=ham autolearn_force=no version=4.0.1-bugs.debian.org_2005_01_02 X-Spam-Bayes: score:0.0000 Tokens: new, 55; hammy, 135; neutral, 26; spammy, 0. spammytokens: hammytokens:0.000-+--HX-ME-Sender:xms, 0.000-+--HX-ME-Proxy:xmx, 0.000-+--HX-ME-Proxy-Cause:sk:gggrugg, 0.000-+--HX-ME-Sender:xme, 0.000-+--UD:mitre.org Return-path: <james@bitrefactory.com> Received: from fout-b7-smtp.messagingengine.com ([202.12.124.150]:36241) by buxtehude.debian.org with esmtps (TLS1.3:ECDHE_X25519__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim 4.96) (envelope-from <james@bitrefactory.com>) id 1vrnEb-00DzJZ-1Y for submit@bugs.debian.org; Mon, 16 Feb 2026 01:17:11 +0000 Received: from phl-compute-10.internal (phl-compute-10.internal [10.202.2.50]) by mailfout.stl.internal (Postfix) with ESMTP id 2A04B1D00150 for <submit@bugs.debian.org>; Sun, 15 Feb 2026 20:17:07 -0500 (EST) Received: from phl-imap-18 ([10.202.2.89]) by phl-compute-10.internal (MEProxy); Sun, 15 Feb 2026 20:17:07 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= bitrefactory.com; h=cc:content-transfer-encoding:content-type :content-type:date:date:from:from:in-reply-to:message-id :mime-version:reply-to:subject:subject:to:to; s=fm1; t= 1771204626; x=1771291026; bh=jYUdGFCf1YzopkQMEkBNJ82RLpPuudBXecb 1X4CKPE4=; b=LlenPJSwXdkXF41+YSVDJd9xPdx0intz8NAk70ApanjyNZeDqfD 4HY+xv8vv5pmdCaUSs30uvBo+Ni1m4Lqdhq2w3e8C7dw/ckGUxbJzeJamRegI01v Ik5GgLD12mFbFpFTw5Pymz3mJaXHDtvrQnLn9RxfSg+GDHQSd9flyEK1xWx6vnfc F46QtFaFYn8uNcr0UbPTZMClL/YXiUlm3r3krv0g3ajS/YCuPEHlbaBNTpU0QySM j2DLJ8aLb9jKFRvWzvk5xxVklKXdC9JEwCB8/bXkvB7jv7uJ20z29EmRqqLsia5t J2Jin8AqKHzhbpnNXUjv7aFaykHR7HxGhMQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :content-type:date:date:feedback-id:feedback-id:from:from :in-reply-to:message-id:mime-version:reply-to:subject:subject:to :to:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm3; t= 1771204626; x=1771291026; bh=jYUdGFCf1YzopkQMEkBNJ82RLpPuudBXecb 1X4CKPE4=; b=rl3b5NsSngEIg10w+eAakGwpVK6t4iRh95yRNOelNCsNeGOl46o b+ysW2fgI2cb3mSb/fvszEVocny/HuIrKlbf/dhFqLTn0geh0EcfXHV0iY5Nl9RD Tc6VUn3mg7XQfdNfgeVfVlHGFkVVuEbcIP4M1Cce4DbZcczAb3IlpfkoqvqsnUxW J7OhljoC2x5BuNtu7SlM/xNgt5lFp8T+BYhtXoPkskiKQXnnof8kw93mdrg8JtbP R21qIrjbw1gXzNY8jWhxF1jTMzGCiFfSUeoC5hz2XzQNLqv7YO6spb48HNSjXu8d wXJTQ/2OBkg9QRpD/TF3UxMMic/Ftel/i+w== X-ME-Sender: <xms:EnCSacuAhveG6tdtntVcXql_BxhI2oailHliZb4TBtDs-FxjaOS5ug> <xme:EnCSaUQMrtwEtb07GzR36p61e46gjY-fvvtXYH4lmkdN7bKZ3TQEMhlqkIz-is7E1 mGaPYZ1BPRtvcPPNZCpa0dRPUUdfDAFDBTfFJaZt-xGnoJK0vnQag> X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeefgedrtddtgddvudehheefucetufdoteggodetrf dotffvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfurfetoffkrfgpnffqhgenuceu rghilhhouhhtmecufedttdenucenucfjughrpefoggffhffvkffutgfgsehtjeertdertd dtnecuhfhrohhmpedflfgrmhgvshcuofhonhhtghhomhgvrhihfdcuoehjrghmvghssegs ihhtrhgvfhgrtghtohhrhidrtghomheqnecuggftrfgrthhtvghrnhepuedufeethfelie ffvefftdfhteeuffehtdefheetleegudelgefghfehhedvudeinecuffhomhgrihhnpehg ihhthhhusgdrtghomhdpmhhithhrvgdrohhrghdptghvvgdqvddtvdehqdeileekjeefqd grjhhvqdhrvgguohhsrdhmugenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhep mhgrihhlfhhrohhmpehjrghmvghssegsihhtrhgvfhgrtghtohhrhidrtghomhdpnhgspg hrtghpthhtohepuddpmhhouggvpehsmhhtphhouhhtpdhrtghpthhtohepshhusghmihht segsuhhgshdruggvsghirghnrdhorhhg X-ME-Proxy: <xmx:EnCSaXenKDPwZ2YEgqVdREzc5eaF90EQoUDHsZPS6BppIpvS6dDjLA> <xmx:EnCSadK47Uq4b0cm7ygPo1VyZDxvLcVV2BhXNy6NBMG8opTgy5zVbA> <xmx:EnCSadZSAZpyHtmpbKDuPzSkPZ25PanrwbK7kY_8Iqpf8nrot1yYww> <xmx:EnCSaQt273UUU2cJzqh1fCceVdgXOWMTumWFYOYPR56tVP2aIEj6Qg> <xmx:EnCSaQTvmCcgG2SmJUPm-tqD8K5yryiMdlraV1i4lG1ZE6lapQCxJFi2> Feedback-ID: i5f6146e3:Fastmail Received: by mailuser.phl.internal (Postfix, from userid 501) id 86FCB15C008C; Sun, 15 Feb 2026 20:17:06 -0500 (EST) X-Mailer: MessagingEngine.com Webmail Interface MIME-Version: 1.0 Date: Sun, 15 Feb 2026 20:16:46 -0500 From: "James Montgomery" <james@bitrefactory.com> To: submit@bugs.debian.org Message-Id: <e5b35ef3-22ff-448b-90c2-afaa195e6916@app.fastmail.com> Subject: Subject: node-ajv: CVE-2025-69873: ReDoS in pattern keyword with $data option Content-Type: text/plain Content-Transfer-Encoding: 7bit Delivered-To: submit@bugs.debian.org Package: node-ajv Version: 8.17.1-1 Severity: important Tags: security upstream The ajv package through version 8.17.1 is vulnerable to Regular Expression Denial of Service (ReDoS) when the $data option is enabled. The pattern keyword, when used with $data references, passes runtime data directly to the JavaScript RegExp() constructor without validation. Affected Debian versions: * unstable: 8.17.1~ds+~3.0.1+~3.1.0-4 * testing: 8.17.1~ds+~3.0.1+~3.1.0-4 * stable: 8.12.0~ds+~2.1.1-5 Fixed upstream in version 8.18.0. https://github.com/ajv-validator/ajv/commit/720a23fa453ffae8340e92c9b0fe886c54cfe0d5 References: * CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69873 * Disclosure: https://github.com/EthanKim88/ethan-cve-disclosures/blob/main/CVE-2025-69873-ajv-ReDoS.md ``` ]