Update dependency ajv to v8.18.0 [SECURITY]

[balena-renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
ajv (source)	8.17.1 → 8.18.0

---

ajv has ReDoS when using $data option

CVE-2025-69873 / GHSA-2g4f-4pwh-qvx6

More information

Details

ajv (Another JSON Schema Validator) through version 8.17.1 is vulnerable to Regular Expression Denial of Service (ReDoS) when the $data option is enabled. The pattern keyword accepts runtime data via JSON Pointer syntax ($data reference), which is passed directly to the JavaScript RegExp() constructor without validation. An attacker can inject a malicious regex pattern (e.g., \"^(a|a)*$\") combined with crafted input to cause catastrophic backtracking. A 31-character payload causes approximately 44 seconds of CPU blocking, with each additional character doubling execution time. This enables complete denial of service with a single HTTP request against any API using ajv with $data: true for dynamic schema validation.

Severity

• CVSS Score: 5.5 / 10 (Medium)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P

References

• https://nvd.nist.gov/vuln/detail/CVE-2025-69873
• https://github.com/EthanKim88/ethan-cve-disclosures/blob/main/CVE-2025-69873-ajv-ReDoS.md
• https://github.com/ajv-validator/ajv/pull/2586
• https://github.com/ajv-validator/ajv/commit/720a23fa453ffae8340e92c9b0fe886c54cfe0d5
• https://github.com/ajv-validator/ajv/releases/tag/v8.18.0
• https://github.com/ajv-validator/ajv/pull/2588
• https://github.com/ajv-validator/ajv/releases/tag/v6.14.0
• https://github.com/advisories/GHSA-2g4f-4pwh-qvx6
• https://github.com/ajv-validator/ajv/pull/2590
• https://github.com/github/advisory-database/pull/6991

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

ajv-validator/ajv (ajv)

v8.18.0

Compare Source

What's Changed

• feat: allow tree-shaking by adding "sideEffects": false to package.json by @​josdejong in #​2480
• fix: #​2482 Infinity and NaN serialise to null by @​jasoniangreen in #​2487
• fix: small grammatical error in managing-schemas.md by @​monteiro-renato in #​2508
• fix: typos in schema-language.md by @​monteiro-renato in #​2507
• fix(pattern): use configured RegExp engine with $data keyword to mitigate ReDoS attacks (CVE-2025-69873) by @​epoberezkin in #​2586

New Contributors

• @​josdejong made their first contribution in #​2480
• @​monteiro-renato made their first contribution in #​2508

Full Changelog: ajv-validator/ajv@v8.17.1...v8.18.0

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate.

[flowzone-app]

Website deployed to CF Pages, 👀 preview link https://507661cf.balena-design-system.pages.dev