The vulnerability CVE-2025-69873 affects ajv (Another JSON Schema Validator), a widely used JavaScript library for validating JSON schemas. Specifically, versions through 8.17.1 are vulnerable when the $data option is enabled, which allows schema patterns to be dynamically defined at runtime using JSON Pointer syntax. The pattern keyword accepts this runtime data and passes it directly to the JavaScript RegExp constructor without any sanitization or validation. This enables an attacker to inject malicious regular expressions designed to cause catastrophic backtracking, a condition where the regex engine consumes exponentially increasing CPU resources when processing crafted input. For example, a pattern like "^(a|a)*$" combined with a carefully constructed input string can cause the CPU to be blocked for approximately 44 seconds with only a 31-character payload, with execution time doubling for each additional character. This results in a potent Regular Expression Denial of Service (ReDoS) attack that can be triggered remotely via a single HTTP request to any API using ajv with $data: true for dynamic schema validation. The vulnerability does not affect confidentiality or integrity but severely impacts availability. No authentication or user interaction is required, making exploitation straightforward if the vulnerable configuration is present. The CVSS v3.1 score is 7.5 (High), reflecting the network attack vector, low attack complexity, no privileges required, no user interaction, and a high impact on availability. No patches or fixes are currently linked, and no known exploits have been reported in the wild as of the publication date.

This vulnerability can cause complete denial of service of APIs or services that use ajv with the $data option enabled for dynamic schema validation. The ReDoS attack leads to excessive CPU consumption, blocking legitimate requests and potentially causing service outages or degraded performance. Organizations relying on ajv in critical web applications, microservices, or API gateways are at risk of disruption. The attack requires only a single crafted HTTP request, making it easy to weaponize and potentially scalable for attackers. While confidentiality and integrity are not directly impacted, the availability loss can lead to significant operational and reputational damage, especially for high-traffic or customer-facing services. Additionally, the lack of authentication or user interaction requirements broadens the attack surface, allowing remote unauthenticated attackers to exploit the vulnerability. This can also facilitate secondary attacks, such as distraction during other intrusions or resource exhaustion in multi-tenant environments.

To mitigate this vulnerability, organizations should first identify all instances where ajv is used with the $data option enabled for dynamic schema validation. Immediate mitigation includes disabling the $data option if dynamic pattern validation is not strictly necessary. If dynamic patterns are required, implement strict validation or sanitization of any runtime regex patterns before they are passed to the RegExp constructor to prevent malicious input. Monitoring and rate limiting incoming requests to APIs using ajv can help reduce the risk of large-scale exploitation. Employing Web Application Firewalls (WAFs) with custom rules to detect and block suspicious regex patterns or anomalous request payloads may also be effective. Organizations should track updates from the ajv maintainers and apply patches promptly once available. Additionally, consider using alternative JSON schema validators that do not expose similar dynamic regex injection risks or that have built-in protections against ReDoS. Conduct thorough testing of regex patterns used in schemas to identify potential catastrophic backtracking scenarios before deployment.