What is the CVSS score of CVE-2025-69873?

CVE-2025-69873 has a CVSS 3.1 base score of 2.9 (Low). CVSS vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L. EPSS exploitation probability: 0.1%.

Is there a public PoC exploit available for CVE-2025-69873?

Yes, a public proof-of-concept exploit is available for CVE-2025-69873. Prioritise patching immediately. EPSS: 0.1%.

How to fix or mitigate CVE-2025-69873?

During next maintenance window: Apply vendor patches when convenient. Monitor vendor channels for updates.

CVE-2025-69873

LOW

Inefficient Regular Expression Complexity (ReDoS) (CWE-1333)

2026-02-11 cve@mitre.org

GHSA-2g4f-4pwh-qvx6

Denial Of Service

2.9

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

2.9 LOW

AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

Attack Vector

Local

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

Low

Lifecycle Timeline

Patch released

Mar 31, 2026 - 21:13 nvd

Patch available

Analysis Generated

Mar 12, 2026 - 22:02 vuln.today

CVE Published

Feb 11, 2026 - 19:15 nvd

LOW 2.9

DescriptionCVE.org

ajv (Another JSON Schema Validator) before 8.18.0 is vulnerable to Regular Expression Denial of Service (ReDoS) when the $data option is enabled. The pattern keyword accepts runtime data via JSON Pointer syntax ($data reference), which is passed directly to the JavaScript RegExp() constructor without validation. An attacker can inject a malicious regex pattern (e.g., "^(a|a)*$") combined with crafted input to cause catastrophic backtracking. A 31-character payload causes approximately 44 seconds of CPU blocking, with each additional character doubling execution time. This enables complete denial of service with a single HTTP request against any API using ajv with $data: true for dynamic schema validation. This issue is also fixed in version 6.14.0.

AnalysisAI

ajv (Another JSON Schema Validator) before 8.18.0 is vulnerable to Regular Expression Denial of Service (ReDoS) when the $data option is enabled. [CVSS 2.9 LOW]

Technical ContextAI

Classified as CWE-1333 (Inefficient Regular Expression Complexity (ReDoS)). ajv (Another JSON Schema Validator) before 8.18.0 is vulnerable to Regular Expression Denial of Service (ReDoS) when the $data option is enabled. The pattern keyword accepts runtime data via JSON Pointer syntax ($data reference), which is passed directly to the JavaScript RegExp() constructor without validation. An attacker can inject a malicious regex pattern (e.g., "^(a|a)*$") combined with crafted input to cause catastrophic backtracking. A 31-character payload causes approximately 44 seconds

Affected ProductsAI

Fixed in: version 6

RemediationAI

Fixed in version 6.14.0..

CVE-2025-69873 vulnerability details – vuln.today

Back

CVE-2025-69873

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Technical ContextAI

Affected ProductsAI

RemediationAI

Share

External POC / Exploit Code