Description
ajv (Another JSON Schema Validator) through version 8.17.1 is vulnerable to Regular Expression Denial of Service (ReDoS) when the $data option is enabled. The pattern keyword accepts runtime data via JSON Pointer syntax ($data reference), which is passed directly to the JavaScript RegExp() constructor without validation.
Recommendation
Update the ajv package to the latest compatible version. Followings are version details:
Affected version(s): **< 6.14.0 >= 7.0.0-alpha.0, < 8.18.0** Patched version(s): **6.14.0 8.18.0**
References
Related Issues
- matrix-js-sdk has insufficient validation when considering a room to be upgraded by another - CVE-2025-59160
- SvelteKit is vulnerable to denial of service and possible SSRF when using prerendering - CVE-2025-67647
- @octokit/request has a Regular Expression in fetchWrapper that Leads to ReDoS Vulnerability Due to Catastrophic Backtrac - CVE-2025-25290
- Parse Server has a SQL injection via query field name when using PostgreSQL - CVE-2026-32234
- Tags:
- npm
- ajv
Anything's wrong? Let us know Last updated on March 02, 2026