[Snyk High] Regular Expression Denial of Service (ReDoS) (Due: 03/25/26)

[tmpayton]

Vulnerability

CWE-1333Open this link in a new tab
CVE-2025-69873Open this link in a new tab
CVSS 8.2Open this link in a new tab high
SNYK-JS-AJV-15274295Open this link in a new tab

Introduced through
ajv@6.12.6

Fixed in
ajv@6.14.0, @8.18.0

Exploit maturity
Proof of Concept

Detailed paths and remediation
Introduced through: fec-pattern-library@0.1.0 › ajv@6.12.6
Fix: Upgrade to ajv@6.14.0
Security information
Factors contributing to the scoring:
Snyk: CVSS v4.0 8.2 - High Severity | CVSS v3.1 5.9 - Medium Severity
NVD: Not available. NVD has not yet published its analysis.
Why are the scores different? Learn how Snyk evaluates vulnerability scores
Overview
ajv is an Another JSON Schema Validator

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper validation of the pattern keyword when combined with $data references. An attacker can cause the application to become unresponsive and exhaust CPU resources by submitting a specially crafted regular expression payload.

Note:

This is only exploitable if the $data option is enabled.

Completion Criteria

• Upgrade ajv package to version 6.14.0 has solved the error