Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:npm/ajv@8.18.0
purl pkg:npm/ajv@8.18.0
Vulnerabilities affecting this package (0)
Vulnerability Summary Fixed by
This package is not known to be affected by vulnerabilities.
Vulnerabilities fixed by this package (1)
Vulnerability Summary Aliases
VCID-1znw-5dwm-7ydy ajv has ReDoS when using `$data` option ajv (Another JSON Schema Validator) through version 8.17.1 is vulnerable to Regular Expression Denial of Service (ReDoS) when the `$data` option is enabled. The pattern keyword accepts runtime data via JSON Pointer syntax (`$data` reference), which is passed directly to the JavaScript `RegExp()` constructor without validation. An attacker can inject a malicious regex pattern (e.g., `\"^(a|a)*$\"`) combined with crafted input to cause catastrophic backtracking. A 31-character payload causes approximately 44 seconds of CPU blocking, with each additional character doubling execution time. This enables complete denial of service with a single HTTP request against any API using ajv with `$data`: true for dynamic schema validation. CVE-2025-69873
GHSA-2g4f-4pwh-qvx6

Date Actor Action Vulnerability Source VulnerableCode Version
2026-04-01T16:07:58.480533+00:00 GHSA Importer Fixing VCID-1znw-5dwm-7ydy https://github.com/advisories/GHSA-2g4f-4pwh-qvx6 38.0.0
2026-04-01T12:53:51.054116+00:00 GitLab Importer Fixing VCID-1znw-5dwm-7ydy https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/ajv/CVE-2025-69873.yml 38.0.0
2026-04-01T12:53:09.696223+00:00 GithubOSV Importer Fixing VCID-1znw-5dwm-7ydy https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-2g4f-4pwh-qvx6/GHSA-2g4f-4pwh-qvx6.json 38.0.0