chore: pin ajv to 6.14.0 to avoid security problem #130

coderabbitai · 2026-02-23T01:54:37Z

CVE-2025-69873

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

# First, find and examine the pnpm-workspace.yaml file git ls-files | grep -E '(pnpm-workspace|pnpm-lock)'

Repository: flumen-dev/flumen.dev

Length of output: 99

🏁 Script executed:

# Look at the pnpm-workspace.yaml file to see the current state cat -n pnpm-workspace.yaml

Repository: flumen-dev/flumen.dev

Length of output: 334

🏁 Script executed:

# Check if pnpm-lock.yaml exists and examine ajv versions if [ -f pnpm-lock.yaml ]; then echo "=== Checking ajv entries in pnpm-lock.yaml ===" rg -n 'ajv@' pnpm-lock.yaml | head -30 else echo "pnpm-lock.yaml not found" fi

Repository: flumen-dev/flumen.dev

Length of output: 173

🏁 Script executed:

# Look for issue `#91` or any related documentation/comments about the ajv vulnerability rg -r '#91|ajv.*advisory|ajv.*vulnerab' --type md --type txt --type yaml . | head -20

Repository: flumen-dev/flumen.dev

Length of output: 16415

🏁 Script executed:

# Check git history for context about this change git log --oneline --all | grep -i ajv | head -10

Repository: flumen-dev/flumen.dev

Length of output: 123

🌐 Web query:

ajv CVE vulnerability 6.14.0 8.18.0 fix

💡 Result:

For Ajv (npm ajv), the “what version fixes it?” depends on which CVE you mean:

CVE-2025-69873 (ReDoS when $data is enabled and pattern is attacker-controlled)
Affected: Ajv through 8.17.1 (i.e., < 8.18.0, so 6.14.0 is affected) • Fixed: upgrade to 8.18.0+. The upstream fix was merged Feb 14, 2026 and released as 8.18.0. [1][2][3]

CVE-2020-15366 (prototype pollution / potential code execution via crafted schema in ajv.validate())
Affected: Ajv 6.12.2 • Fixed: 6.12.3+ (so 6.14.0 is not affected). [4]

If you can’t upgrade immediately for CVE-2025-69873, mitigate by not enabling $data (or ensuring $data-sourced pattern values can’t be attacker-controlled). [1]

Sources
[1] https://nvd.nist.gov/vuln/detail/CVE-2025-69873
[2] ajv-validator/ajv#2586
[3] https://security.snyk.io/package/npm/ajv
[4] https://nvd.nist.gov/vuln/detail/CVE-2020-15366

🌐 Web query:

ajv security advisory 2024 2025 vulnerable versions

💡 Result:

For Ajv (npm package ajv), I could not find any Ajv-specific CVEs/GHSAs that were published in 2024 or 2025. The Ajv advisory that’s currently driving “vulnerable versions” alerts was published Feb 11, 2026 (not 2024/2025): CVE-2025-69873 / GHSA-2g4f-4pwh-qvx6. [1][2]

CVE-2025-69873 / GHSA-2g4f-4pwh-qvx6 (ReDoS with $data)

Vulnerable Ajv versions: <= 8.17.1 (i.e., < 8.18.0) [1][2]

Fixed version: 8.18.0 [3]

Condition: exploitable when Ajv is used with $data option enabled, allowing attacker-controlled regex patterns to reach RegExp() and trigger catastrophic backtracking (ReDoS). [1][2]

Sources: NVD CVE record [1], OSV/GHSA record [2], Snyk package page (shows latest as non-vulnerable and indicates fix at 8.18.0) [3].

[1] https://nvd.nist.gov/vuln/detail/CVE-2025-69873
[2] https://osv.dev/vulnerability/GHSA-2g4f-4pwh-qvx6
[3] https://security.snyk.io/package/npm/ajv

🏁 Script executed:

# Look for any GitHub issues or PR references in the repo find . -type f $ -name "*.md" -o -name "*.txt" -o -name ".github" $ -exec grep -l "ajv\|#91" {} \; | head -20

Repository: flumen-dev/flumen.dev

Length of output: 47

🏁 Script executed:

# Check if there's a package.json or similar that might reference the issue cat -n package.json 2>/dev/null | head -50

Repository: flumen-dev/flumen.dev

Length of output: 2138

🏁 Script executed:

# Find which packages depend on ajv rg -r "ajv" --type json pnpm-lock.yaml | head -30

Repository: flumen-dev/flumen.dev

Length of output: 47

🏁 Script executed:

# Check if $data option is enabled anywhere in the codebase rg -r '\$data' . --type js --type ts --type json | head -20

Repository: flumen-dev/flumen.dev

Length of output: 756

Override doesn't remediate the ajv CVE-2025-69873 vulnerability (still vulnerable).

Line 9 only forces versions below 6.14.0 to 6.14.0, but the Ajv ReDoS advisory (CVE-2025-69873 / GHSA-2g4f-4pwh-qvx6) affects all versions through 8.17.1 and is fixed in 8.18.0. This leaves 6.14.0 vulnerable and doesn't satisfy the security objective. Update the override to pin to 8.18.0:

🔧 Proposed fix

overrides: - ajv@<6.14.0: 6.14.0 + ajv@<8.18.0: 8.18.0

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

ajv@<6.14.0: 6.14.0

overrides:

ajv@<8.18.0: 8.18.0

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed. In `@pnpm-workspace.yaml` at line 9, The override currently pins ajv to 6.14.0 using the string "ajv@<6.14.0: 6.14.0" but that does not remediate CVE-2025-69873 because all versions through 8.17.1 are vulnerable; update the pnpm override for the ajv package (the "ajv" override entry) to pin to the fixed release 8.18.0 instead so that consumers resolve to a non-vulnerable ajv version.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore: pin ajv to 6.14.0 to avoid security problem #130

Uh oh!

Diff view

Diff view

There are no files selected for viewing

Uh oh!

coderabbitai bot Feb 23, 2026

Uh oh!

chore: pin ajv to 6.14.0 to avoid security problem #130

Uh oh!

chore: pin ajv to 6.14.0 to avoid security problem #130

Uh oh!

Uh oh!

Diff view

Diff view

There are no files selected for viewing

Uh oh!

coderabbitai bot Feb 23, 2026

Choose a reason for hiding this comment

CVE-2025-69873 / GHSA-2g4f-4pwh-qvx6 (ReDoS with $data)

Uh oh!

CVE-2025-69873 / GHSA-2g4f-4pwh-qvx6 (ReDoS with `$data`)