Skip to content

mini-css-extract-plugin-2.9.4.tgz: 1 vulnerabilities (highest severity is: 7.5) - autoclosed #11185

New issue
New issue
Closed
Closed
mini-css-extract-plugin-2.9.4.tgz: 1 vulnerabilities (highest severity is: 7.5) - autoclosed#11185
Labels
Mend: dependency security vulnerabilitySecurity vulnerability detected by WhiteSource
@mend-bolt-for-github

Description

@mend-bolt-for-github
mend-bolt-for-github
bot
opened on Feb 12, 2026
Vulnerable Library - mini-css-extract-plugin-2.9.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /home/wss-scanner/.yarn/berry/cache/ajv-npm-8.12.0-3bf6e30741-10c0.zip

Found in HEAD commit: da0c9c84fdbc82b3b8e2221482a86225136e26be

Vulnerabilities

Vulnerability Severity CVSS Dependency Type Fixed in (mini-css-extract-plugin version) Remediation Possible**
CVE-2025-69873 High 7.5 ajv-8.12.0.tgz Transitive N/A*

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2025-69873

Vulnerable Library - ajv-8.12.0.tgz

Library home page: https://registry.npmjs.org/ajv/-/ajv-8.12.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /home/wss-scanner/.yarn/berry/cache/ajv-npm-8.12.0-3bf6e30741-10c0.zip

Dependency Hierarchy:

  • mini-css-extract-plugin-2.9.4.tgz (Root Library)
    • schema-utils-4.3.3.tgz
      • ajv-8.12.0.tgz (Vulnerable Library)

Found in HEAD commit: da0c9c84fdbc82b3b8e2221482a86225136e26be

Found in base branch: main

Vulnerability Details

ajv (Another JSON Schema Validator) through version 8.17.1 is vulnerable to Regular Expression Denial of Service (ReDoS) when the $data option is enabled. The pattern keyword accepts runtime data via JSON Pointer syntax ($data reference), which is passed directly to the JavaScript RegExp() constructor without validation. An attacker can inject a malicious regex pattern (e.g., "^(a|a)*$") combined with crafted input to cause catastrophic backtracking. A 31-character payload causes approximately 44 seconds of CPU blocking, with each additional character doubling execution time. This enables complete denial of service with a single HTTP request against any API using ajv with $data: true for dynamic schema validation.

Publish Date: 2026-02-11

URL: CVE-2025-69873

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with Mend here

Metadata

Metadata

Assignees

No one assigned

    Labels

    Mend: dependency security vulnerabilitySecurity vulnerability detected by WhiteSource

    Type

    No type

    Projects

    Intercode

    Status

    Done

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions