CVE-2025-69873 moderate severity vulnerability in ajv@8.12.0

[MikeMcC399]

Description

npm audit reports a moderate severity vulnerability CVE-2025-69873 (GHSA-2g4f-4pwh-qvx6) in the dependency ajv@8.12.0, released in Jan 2023

Library version

14.2.5

Node version

v24.13.1

Steps to reproduce

Ubuntu 24.04.4 LTS, Node.js 24.13.1 LTS

cd $(mktemp -d)
npm install serve
npm audit

Logs

$ npm audit
# npm audit report

ajv  <8.18.0
Severity: moderate
ajv has ReDoS when using `$data` option - https://github.com/advisories/GHSA-2g4f-4pwh-qvx6
fix available via `npm audit fix --force`
Will install serve@6.5.8, which is a breaking change
node_modules/ajv
  serve  >=7.0.0
  Depends on vulnerable versions of ajv
  node_modules/serve

2 moderate severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force

Assessment

Executing the following is unable to remediate the vulnerability:

npm audit fix

serve@14.2.5 is pinned to ajv@8.12.0

Recommendation

Bump ajv@8.12.0 to ajv@8.18.0 (or above) in dependencies of serve and release a new version.

[dargmuesli]

PR submitted: #842