Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:deb/debian/node-ajv@8.18.0~ds%2B~cs6.1.1-1
purl pkg:deb/debian/node-ajv@8.18.0~ds%2B~cs6.1.1-1
Vulnerabilities affecting this package (0)
Vulnerability Summary Fixed by
This package is not known to be affected by vulnerabilities.
Vulnerabilities fixed by this package (1)
Vulnerability Summary Aliases
VCID-1znw-5dwm-7ydy ajv has ReDoS when using `$data` option ajv (Another JSON Schema Validator) through version 8.17.1 is vulnerable to Regular Expression Denial of Service (ReDoS) when the `$data` option is enabled. The pattern keyword accepts runtime data via JSON Pointer syntax (`$data` reference), which is passed directly to the JavaScript `RegExp()` constructor without validation. An attacker can inject a malicious regex pattern (e.g., `\"^(a|a)*$\"`) combined with crafted input to cause catastrophic backtracking. A 31-character payload causes approximately 44 seconds of CPU blocking, with each additional character doubling execution time. This enables complete denial of service with a single HTTP request against any API using ajv with `$data`: true for dynamic schema validation. CVE-2025-69873
GHSA-2g4f-4pwh-qvx6

Date Actor Action Vulnerability Source VulnerableCode Version
2026-04-16T08:40:22.295490+00:00 Debian Importer Fixing VCID-1znw-5dwm-7ydy https://security-tracker.debian.org/tracker/data/json 38.4.0
2026-04-11T17:49:46.055623+00:00 Debian Importer Fixing VCID-1znw-5dwm-7ydy https://security-tracker.debian.org/tracker/data/json 38.3.0
2026-04-08T17:44:13.992275+00:00 Debian Importer Fixing VCID-1znw-5dwm-7ydy https://security-tracker.debian.org/tracker/data/json 38.1.0