ajv (Another JSON Schema Validator) before 8.18.0 is vulnerable to Regular Expression Denial of Service (ReDoS) when the $data option is enabled. The pattern keyword accepts runtime data via JSON Pointer syntax ($data reference), which is passed directly to the JavaScript RegExp() constructor without validation. An attacker can inject a malicious regex pattern (e.g., ^(a|a)*$) combined with crafted input to cause catastrophic backtracking. A 31-character payload causes approximately 44 seconds of CPU blocking, with each additional character doubling execution time. This enables complete denial of service with a single HTTP request against any API using ajv with $data: true for dynamic schema validation. This issue is also fixed in version 6.14.0.
Weakness
The product uses a regular expression with a worst-case computational complexity that is inefficient and possibly exponential.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Red Hat Ansible Automation Platform 2.5 for RHEL 8 | RedHat | automation-gateway-0:2.5.20260422-2.el8ap | * |
| Red Hat Ansible Automation Platform 2.5 for RHEL 9 | RedHat | automation-gateway-0:2.5.20260422-2.el9ap | * |
| Red Hat Ansible Automation Platform 2.6 for RHEL 9 | RedHat | automation-platform-ui-0:2.6.7-1.el9ap | * |
| Network Observability (NETOBSERV) 1.11.2 | RedHat | network-observability/network-observability-console-plugin-compat-rhel9:1778508956 | * |
| Red Hat Ansible Automation Platform 2.6 | RedHat | ansible-automation-platform-26/gateway-rhel9:1774243862 | * |
| Red Hat Ansible Automation Platform 2.6 | RedHat | ansible-automation-platform-26/gateway-rhel9:1774243862 | * |
| Red Hat Developer Hub 1.8 | RedHat | rhdh/rhdh-hub-rhel9:1776784286 | * |
| Red Hat Developer Hub 1.9 | RedHat | rhdh/rhdh-hub-rhel9:1775140647 | * |
| Red Hat OpenShift AI 2.16 | RedHat | rhoai/odh-dashboard-rhel8:1774282136 | * |
| Red Hat OpenShift AI 3.3 | RedHat | rhoai/odh-dashboard-rhel9:1779189627 | * |
| Red Hat OpenShift AI 3.3 | RedHat | rhoai/odh-mod-arch-gen-ai-rhel9:1778473763 | * |
| Red Hat OpenShift AI 3.3 | RedHat | rhoai/odh-mod-arch-model-registry-rhel9:1778666987 | * |
| Red Hat OpenShift Container Platform 4.14 | RedHat | openshift4/ose-monitoring-plugin-rhel8:1778036641 | * |
| Red Hat OpenShift Container Platform 4.15 | RedHat | openshift4/ose-monitoring-plugin-rhel8:1777994844 | * |
| Red Hat OpenShift Container Platform 4.16 | RedHat | openshift4/ose-monitoring-plugin-rhel9:1774452649 | * |
| Red Hat OpenShift Container Platform 4.17 | RedHat | openshift4/ose-monitoring-plugin-rhel9:1774474908 | * |
| Red Hat OpenShift Container Platform 4.19 | RedHat | openshift4/ose-monitoring-plugin-rhel9:1776675872 | * |
| Red Hat OpenShift Dev Spaces 3.27 | RedHat | devspaces/code-rhel9:1774448966 | * |
| Red Hat OpenShift Dev Spaces 3.27 | RedHat | devspaces/dashboard-rhel9:1774476526 | * |
| Red Hat Quay 3.14 | RedHat | quay/quay-rhel8:1775512163 | * |
| Red Hat Quay 3.15 | RedHat | quay/quay-rhel8:1775169219 | * |
| Red Hat Quay 3.16 | RedHat | quay/quay-rhel9:1775069491 | * |
| Red Hat Quay 3.16 | RedHat | quay/quay-rhel9:1775169226 | * |
| Red Hat Quay 3.9 | RedHat | quay/quay-rhel8:1773936323 | * |
| Red Hat Satellite 6.18 | RedHat | satellite/iop-remediations-rhel9:1781247025 | * |
| Red Hat Satellite 6.18 | RedHat | satellite/iop-advisor-frontend-rhel9:1781181673 | * |
Potential Mitigations
Related Attack Patterns
References
- https://github.com/EthanKim88/ethan-cve-disclosures/blob/main/CVE-2025-69873-ajv-ReDoS.md
- https://github.com/advisories/GHSA-2g4f-4pwh-qvx6
- https://github.com/ajv-validator/ajv/pull/2588
- https://github.com/ajv-validator/ajv/pull/2590
- https://github.com/ajv-validator/ajv/releases/tag/v6.14.0
- https://github.com/github/advisory-database/pull/6991