Skip to content

build(deps): update dependency ajv to v8.18.0 [security]#396

Open
renovate[bot] wants to merge 1 commit into
masterfrom
renovate/npm-ajv-vulnerability
Open

build(deps): update dependency ajv to v8.18.0 [security]#396
renovate[bot] wants to merge 1 commit into
masterfrom
renovate/npm-ajv-vulnerability

Conversation

@renovate

@renovate renovate Bot commented Feb 22, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Confidence
ajv (source) 8.17.18.18.0 age confidence

ajv has ReDoS when using $data option

CVE-2025-69873 / GHSA-2g4f-4pwh-qvx6

More information

Details

ajv (Another JSON Schema Validator) through version 8.17.1 is vulnerable to Regular Expression Denial of Service (ReDoS) when the $data option is enabled. The pattern keyword accepts runtime data via JSON Pointer syntax ($data reference), which is passed directly to the JavaScript RegExp() constructor without validation. An attacker can inject a malicious regex pattern (e.g., \"^(a|a)*$\") combined with crafted input to cause catastrophic backtracking. A 31-character payload causes approximately 44 seconds of CPU blocking, with each additional character doubling execution time. This enables complete denial of service with a single HTTP request against any API using ajv with $data: true for dynamic schema validation.

Severity

  • CVSS Score: 5.5 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Release Notes

ajv-validator/ajv (ajv)

v8.18.0

Compare Source

What's Changed

New Contributors

Full Changelog: ajv-validator/ajv@v8.17.1...v8.18.0


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot added the security label Feb 22, 2026
@renovate renovate Bot requested a review from a team February 22, 2026 18:12
@codecov

codecov Bot commented Feb 22, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 97.67%. Comparing base (8c369e0) to head (281dcab).

Additional details and impacted files
@@           Coverage Diff           @@
##           master     #396   +/-   ##
=======================================
  Coverage   97.67%   97.67%           
=======================================
  Files           4        4           
  Lines         129      129           
=======================================
  Hits          126      126           
  Misses          3        3           

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@renovate renovate Bot force-pushed the renovate/npm-ajv-vulnerability branch from 1e52713 to 198a133 Compare March 5, 2026 16:36
@renovate renovate Bot changed the title build(deps): update dependency ajv to v8.18.0 [security] build(deps): update dependency ajv to v8.18.0 [security] - autoclosed Mar 27, 2026
@renovate renovate Bot closed this Mar 27, 2026
@renovate renovate Bot deleted the renovate/npm-ajv-vulnerability branch March 27, 2026 02:43
@renovate renovate Bot changed the title build(deps): update dependency ajv to v8.18.0 [security] - autoclosed build(deps): update dependency ajv to v8.18.0 [security] Mar 30, 2026
@renovate renovate Bot reopened this Mar 30, 2026
@renovate renovate Bot force-pushed the renovate/npm-ajv-vulnerability branch 2 times, most recently from 198a133 to 978b11d Compare March 30, 2026 19:04
@renovate renovate Bot changed the title build(deps): update dependency ajv to v8.18.0 [security] build(deps): update dependency ajv to v8.18.0 [security] - autoclosed Apr 27, 2026
@renovate renovate Bot closed this Apr 27, 2026
@renovate renovate Bot changed the title build(deps): update dependency ajv to v8.18.0 [security] - autoclosed build(deps): update dependency ajv to v8.18.0 [security] Apr 27, 2026
@renovate renovate Bot reopened this Apr 27, 2026
@renovate renovate Bot force-pushed the renovate/npm-ajv-vulnerability branch 2 times, most recently from 978b11d to 4873e3b Compare April 27, 2026 20:31
@renovate renovate Bot force-pushed the renovate/npm-ajv-vulnerability branch from 4873e3b to 59a5afb Compare May 12, 2026 13:44
@renovate renovate Bot force-pushed the renovate/npm-ajv-vulnerability branch from 59a5afb to d496772 Compare May 28, 2026 22:26
@renovate renovate Bot force-pushed the renovate/npm-ajv-vulnerability branch from d496772 to 281dcab Compare June 11, 2026 22:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants