CVE-2025-69873
📋 TL;DR
CVE-2025-69873 is a Regular Expression Denial of Service (ReDoS) vulnerability in ajv (Another JSON Schema Validator) that allows attackers to cause CPU exhaustion by injecting malicious regex patterns when the $data option is enabled. This affects any API or application using ajv with dynamic schema validation via JSON Pointer syntax. A single HTTP request can cause complete denial of service by blocking the Node.js event loop.
💻 Affected Systems
- ajv (Another JSON Schema Validator)
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete service unavailability with a single malicious request causing CPU exhaustion and blocking all subsequent requests until the process crashes or times out.
Likely Case
Degraded performance and intermittent service disruptions as attackers exploit the vulnerability to consume server resources.
If Mitigated
Minimal impact if $data option is disabled or input validation prevents regex injection.
🎯 Exploit Status
Exploitation requires knowledge of vulnerable endpoints using $data option with pattern validation. Payload construction is straightforward.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 8.17.2 and later
Vendor Advisory: https://github.com/ajv-validator/ajv/security/advisories
Restart Required: No
Instructions:
1. Update ajv dependency to version 8.17.2 or higher. 2. Run 'npm update ajv' or 'yarn upgrade ajv'. 3. Test schema validation functionality.
🔧 Temporary Workarounds
Disable $data option
allDisable dynamic schema validation via JSON Pointer to prevent regex injection.
Set $data: false in ajv configuration
Input validation
allValidate and sanitize all user input before passing to ajv pattern validation.
🧯 If You Can't Patch
- Disable $data option in all ajv instances
- Implement rate limiting and request validation to block malicious patterns
🔍 How to Verify
Check if Vulnerable:
Check if ajv version is 8.17.1 or earlier AND $data option is enabled in configuration.Check Version:
npm list ajv | grep ajvVerify Fix Applied:
Verify ajv version is 8.17.2 or later using version check command.📡 Detection & Monitoring
Log Indicators:
- Unusually long processing times for JSON validation requests
- High CPU usage spikes from Node.js processes
- Requests with complex regex patterns in payload
Network Indicators:
- HTTP requests containing $data references with pattern keywords
- Repeated validation requests to same endpoint
SIEM Query:
source="application.logs" AND (message="*$data*" OR message="*pattern*" OR message="*validation*timeout*")🔗 References
- https://github.com/EthanKim88/ethan-cve-disclosures/blob/main/CVE-2025-69873-ajv-ReDoS.md
- https://github.com/advisories/GHSA-2g4f-4pwh-qvx6
- https://github.com/ajv-validator/ajv/pull/2588
- https://github.com/ajv-validator/ajv/pull/2590
- https://github.com/ajv-validator/ajv/releases/tag/v6.14.0
- https://github.com/github/advisory-database/pull/6991
