Skip to content

Security: ajv ReDoS vulnerability via $data option — update to >=6.14.0 / >=8.18.0 #246

Description

@LucasMaupin

Summary

ajv (JSON Schema validator) versions prior to 6.14.0 (v6 branch) and 8.18.0 (v8 branch) contain a Regular Expression Denial of Service (ReDoS) vulnerability triggered when the $data option is enabled.

Impact

Fastify uses ajv internally for runtime schema validation. If a crafted schema is processed with $data references, the validator can enter catastrophic backtracking and hang the event loop — resulting in a denial-of-service for the entire API server.

ajv is a runtime dependency pulled in by Fastify and @sinclair/typebox.

Steps to verify

npm ls ajv
npm audit 2>&1 | grep ajv

Recommendation

npm audit fix

If this cannot be auto-resolved, identify which direct dependency pins the old version and update it. Target versions:

  • ajv@6.x>=6.14.0
  • ajv@8.x>=8.18.0

References

  • Audit finding: SEC-012

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't workingdependenciesPull requests that update a dependency file

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions