[Pkg-javascript-devel] Bug#1128140: Subject: node-ajv: CVE-2025-69873: ReDoS in pattern keyword with $data option
James Montgomery
james at bitrefactory.com
Mon Feb 16 01:16:46 GMT 2026
Package: node-ajv
Version: 8.17.1-1
Severity: important
Tags: security upstream
The ajv package through version 8.17.1
is vulnerable to Regular Expression Denial of Service (ReDoS) when the
$data option is enabled. The pattern keyword, when used with $data
references, passes runtime data directly to the JavaScript RegExp()
constructor without validation.
Affected Debian versions:
* unstable: 8.17.1~ds+~3.0.1+~3.1.0-4
* testing: 8.17.1~ds+~3.0.1+~3.1.0-4
* stable: 8.12.0~ds+~2.1.1-5
Fixed upstream in version 8.18.0.
https://github.com/ajv-validator/ajv/commit/720a23fa453ffae8340e92c9b0fe886c54cfe0d5
References:
* CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69873
* Disclosure: https://github.com/EthanKim88/ethan-cve-disclosures/blob/main/CVE-2025-69873-ajv-ReDoS.md
```
More information about the Pkg-javascript-devel
mailing list