Description
ajv (Another JSON Schema Validator) through version 8.17.1 is vulnerable to Regular Expression Denial of Service (ReDoS) when the $data option is enabled. The pattern keyword accepts runtime data via JSON Pointer syntax ($data reference), which is passed directly to the JavaScript RegExp() constructor without validation.
Recommendation
Update the ajv package to the latest compatible version. Followings are version details:
Affected version(s): **< 6.14.0 >= 7.0.0-alpha.0, < 8.18.0** Patched version(s): **6.14.0 8.18.0**
References
Related Issues
- Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups - @babel/runtime-corejs2 - CVE-2025-27789
- Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups - @babel/helpers - CVE-2025-27789
- Vega Cross-Site Scripting (XSS) via event filter when not using CSP mode expressionInterpeter - CVE-2025-26619
- Vega Cross-Site Scripting (XSS) via event filter when not using CSP mode expressionInterpeter - vega - CVE-2025-26619
You might also like:
- Tags:
- npm
- ajv
Anything's wrong? Let us know Last updated on March 02, 2026