Skip to content

Update dependency ajv to v8.18.0 [SECURITY]#113

Merged
firecow merged 1 commit intomainfrom
renovate/npm-ajv-vulnerability
Mar 4, 2026
Merged

Update dependency ajv to v8.18.0 [SECURITY]#113
firecow merged 1 commit intomainfrom
renovate/npm-ajv-vulnerability

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Feb 18, 2026

This PR contains the following updates:

Package Change Age Confidence
ajv (source) 8.17.18.18.0 age confidence

GitHub Vulnerability Alerts

CVE-2025-69873

ajv (Another JSON Schema Validator) through version 8.17.1 is vulnerable to Regular Expression Denial of Service (ReDoS) when the $data option is enabled. The pattern keyword accepts runtime data via JSON Pointer syntax ($data reference), which is passed directly to the JavaScript RegExp() constructor without validation. An attacker can inject a malicious regex pattern (e.g., \"^(a|a)*$\") combined with crafted input to cause catastrophic backtracking. A 31-character payload causes approximately 44 seconds of CPU blocking, with each additional character doubling execution time. This enables complete denial of service with a single HTTP request against any API using ajv with $data: true for dynamic schema validation.

Release Notes

ajv-validator/ajv (ajv)

v8.18.0

Compare Source

What's Changed

New Contributors

Full Changelog: ajv-validator/ajv@v8.17.1...v8.18.0

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot changed the title Update dependency ajv to v8.18.0 [SECURITY] Update dependency ajv to v8.18.0 [SECURITY] - autoclosed Feb 20, 2026
@renovate renovate bot closed this Feb 20, 2026
@renovate renovate bot deleted the renovate/npm-ajv-vulnerability branch February 20, 2026 21:13
@renovate renovate bot changed the title Update dependency ajv to v8.18.0 [SECURITY] - autoclosed Update dependency ajv to v8.18.0 [SECURITY] Feb 22, 2026
@renovate renovate bot reopened this Feb 22, 2026
@renovate renovate bot force-pushed the renovate/npm-ajv-vulnerability branch 2 times, most recently from 3ba517b to 549e998 Compare February 22, 2026 18:02
firecow
firecow approved these changes Mar 4, 2026
View reviewed changes
Copy link
Member

@firecow firecow left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Security patch, checks pass.

@firecow firecow merged commit c2f5025 into main Mar 4, 2026
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@firecow firecow firecow approved these changes

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@firecow