GHSA-2g4f-4pwh-qvx6

ajv (Another JSON Schema Validator) through version 8.17.1 is vulnerable to Regular Expression Denial of Service (ReDoS) when the $data option is enabled. The pattern keyword accepts runtime data via JSON Pointer syntax ($data reference), which is passed directly to the JavaScript RegExp() constructor without validation. An attacker can inject a malicious regex pattern (e.g., \"^(a|a)*$\") combined with crafted input to cause catastrophic backtracking. A 31-character payload causes approximately 44 seconds of CPU blocking, with each additional character doubling execution time. This enables complete denial of service with a single HTTP request against any API using ajv with $data: true for dynamic schema validation.

Database specific

{
    "nvd_published_at": "2026-02-11T19:15:50Z",
    "github_reviewed_at": "2026-02-17T16:38:57Z",
    "severity": "MODERATE",
    "cwe_ids": [
        "CWE-400"
    ],
    "github_reviewed": true
}

References

Affected packages

npm / ajv

Package

Name: ajv; View open source insights on deps.dev
Purl: pkg:npm/ajv

Affected ranges

Type: SEMVER
Events: Introduced

7.0.0-alpha.0

Fixed

8.18.0

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-2g4f-4pwh-qvx6/GHSA-2g4f-4pwh-qvx6.json"

npm / ajv

Package

Name: ajv; View open source insights on deps.dev
Purl: pkg:npm/ajv

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

6.14.0

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-2g4f-4pwh-qvx6/GHSA-2g4f-4pwh-qvx6.json"