Resource exhaustion in Ajv.js Ajv

CVE-2025-69873

ajv (Another JSON Schema Validator) before 8.18.0 is vulnerable to Regular Expression Denial of Service (ReDoS) when the $data option is enabled. The pattern keyword accepts runtime data via JSON Pointer syntax ($data reference), which is…

Vulnerability class: ReDoS (Regular Expression Denial of Service)

EPSS: 0.005 (38.5th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 2.9 (Low). Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L.

Affected products

Weakness classification (CWE)

References

Frequently asked questions

What is CVE-2025-69873?
CVE-2025-69873 is a low-severity vulnerability in Ajv.js Ajv, classified under Inefficient Regular Expression Complexity. CVSS score: 2.9/10. Published 2026-02-11.
How severe is CVE-2025-69873?
Low severity. CVSS v3 base score is 2.9 out of 10.