Package: node-ajv Version: 8.17.1-1 Severity: important Tags: security upstream
The ajv package through version 8.17.1 is vulnerable to Regular Expression Denial of Service (ReDoS) when the $data option is enabled. The pattern keyword, when used with $data references, passes runtime data directly to the JavaScript RegExp() constructor without validation. Affected Debian versions: * unstable: 8.17.1~ds+~3.0.1+~3.1.0-4 * testing: 8.17.1~ds+~3.0.1+~3.1.0-4 * stable: 8.12.0~ds+~2.1.1-5 Fixed upstream in version 8.18.0. https://github.com/ajv-validator/ajv/commit/720a23fa453ffae8340e92c9b0fe886c54cfe0d5 References: * CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69873 * Disclosure: https://github.com/EthanKim88/ethan-cve-disclosures/blob/main/CVE-2025-69873-ajv-ReDoS.md ```
