ajv Regular Expression Denial-of-Service Vulnerability via $data Reference

A Regular Expression Denial-of-Service (ReDoS) vulnerability has been identified in ajv (Another JSON Schema Validator) versions through 8.17.1. This issue arises when the $data option is enabled, allowing the pattern keyword to accept runtime data via JSON Pointer syntax. The injected regex patterns are passed directly to the JavaScript RegExp constructor without any validation, enabling attackers to exploit catastrophic backtracking. A payload of 31 characters can block the CPU for approximately 44 seconds, causing a complete denial of service with a single HTTP request to any API using ajv with $data: true for dynamic schema validation.

Impact

Exploitation of this vulnerability leads to a significant denial-of-service condition, where the Node.js event loop is blocked for an extended period, preventing the server from processing any requests. This disruption can cause health check failures and trigger cascading failures in production environments with auto-scaling and load balancing, ultimately rendering the service unavailable.

Reproduction

To reproduce this vulnerability, send a POST request to an API endpoint that uses ajv with $data: true for validation. Include a JSON payload that references a malicious regex pattern in a field that the schema validates with the pattern keyword. The injected pattern should be crafted to cause catastrophic backtracking, such as one that matches a sequence of characters in a way that exploits the regex engine's processing.

Remediation

Users can mitigate this vulnerability by avoiding the use of $data with the pattern keyword, pre-validating dynamic regex patterns with the safe-regex package, or by using Google's RE2 regex engine, which is supported by ajv and eliminates backtracking.