Publish GHSA-2g4f-4pwh-qvx6

advisory-database[bot] · advisory-database[bot] · commit c06dd00cac4f · 2026-02-20T21:00:57.000Z
diff --git a/advisories/github-reviewed/2026/02/GHSA-2g4f-4pwh-qvx6/GHSA-2g4f-4pwh-qvx6.json b/advisories/github-reviewed/2026/02/GHSA-2g4f-4pwh-qvx6/GHSA-2g4f-4pwh-qvx6.json
@@ -1,12 +1,12 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-2g4f-4pwh-qvx6",
-  "modified": "2026-02-17T18:10:29Z",
+  "modified": "2026-02-20T20:59:11Z",
   "published": "2026-02-11T21:30:39Z",
   "aliases": [
     "CVE-2025-69873"
   ],
-  "summary": "ajv has ReDoS when using $data option",
+  "summary": "ajv has ReDoS when using `$data` option",
   "details": "ajv (Another JSON Schema Validator) through version 8.17.1 is vulnerable to Regular Expression Denial of Service (ReDoS) when the `$data` option is enabled. The pattern keyword accepts runtime data via JSON Pointer syntax (`$data` reference), which is passed directly to the JavaScript `RegExp()` constructor without validation. An attacker can inject a malicious regex pattern (e.g., `\\\"^(a|a)*$\\\"`) combined with crafted input to cause catastrophic backtracking. A 31-character payload causes approximately 44 seconds of CPU blocking, with each additional character doubling execution time. This enables complete denial of service with a single HTTP request against any API using ajv with `$data`: true for dynamic schema validation.",
   "severity": [
     {
@@ -25,14 +25,33 @@
           "type": "ECOSYSTEM",
           "events": [
             {
-              "introduced": "0"
+              "introduced": "7.0.0-alpha.0"
             },
             {
               "fixed": "8.18.0"
             }
           ]
         }
       ]
+    },
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "ajv"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "6.14.0"
+            }
+          ]
+        }
+      ]
     }
   ],
   "references": [
@@ -44,6 +63,10 @@
       "type": "WEB",
       "url": "https://github.com/ajv-validator/ajv/pull/2586"
     },
+    {
+      "type": "WEB",
+      "url": "https://github.com/ajv-validator/ajv/pull/2588"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/ajv-validator/ajv/commit/720a23fa453ffae8340e92c9b0fe886c54cfe0d5"
@@ -56,6 +79,10 @@
       "type": "PACKAGE",
       "url": "https://github.com/ajv-validator/ajv"
     },
+    {
+      "type": "WEB",
+      "url": "https://github.com/ajv-validator/ajv/releases/tag/v6.14.0"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/ajv-validator/ajv/releases/tag/v8.18.0"
