Summary
ajv (JSON Schema validator) versions prior to 6.14.0 (v6 branch) and 8.18.0 (v8 branch) contain a Regular Expression Denial of Service (ReDoS) vulnerability triggered when the $data option is enabled.
Impact
Fastify uses ajv internally for runtime schema validation. If a crafted schema is processed with $data references, the validator can enter catastrophic backtracking and hang the event loop — resulting in a denial-of-service for the entire API server.
ajv is a runtime dependency pulled in by Fastify and @sinclair/typebox.
Steps to verify
npm ls ajv
npm audit 2>&1 | grep ajv
Recommendation
If this cannot be auto-resolved, identify which direct dependency pins the old version and update it. Target versions:
ajv@6.x → >=6.14.0
ajv@8.x → >=8.18.0
References
Summary
ajv(JSON Schema validator) versions prior to6.14.0(v6 branch) and8.18.0(v8 branch) contain a Regular Expression Denial of Service (ReDoS) vulnerability triggered when the$dataoption is enabled.Impact
Fastify uses
ajvinternally for runtime schema validation. If a crafted schema is processed with$datareferences, the validator can enter catastrophic backtracking and hang the event loop — resulting in a denial-of-service for the entire API server.ajvis a runtime dependency pulled in by Fastify and@sinclair/typebox.Steps to verify
Recommendation
If this cannot be auto-resolved, identify which direct dependency pins the old version and update it. Target versions:
ajv@6.x→>=6.14.0ajv@8.x→>=8.18.0References