• pkg:npm/ajv  (Confidence:Highest)

GHSA-2g4f-4pwh-qvx6 (NPM)  suppress

ajv (Another JSON Schema Validator) through version 8.17.1 is vulnerable to Regular Expression Denial of Service (ReDoS) when the `$data` option is enabled. The pattern keyword accepts runtime data via JSON Pointer syntax (`$data` reference), which is passed directly to the JavaScript `RegExp()` constructor without validation. An attacker can inject a malicious regex pattern (e.g., `\"^(a|a)*$\"`) combined with crafted input to cause catastrophic backtracking. A 31-character payload causes approximately 44 seconds of CPU blocking, with each additional character doubling execution time. This enables complete denial of service with a single HTTP request against any API using ajv with `$data`: true for dynamic schema validation.

• Severity: moderate

• NPM Advisory reference: - https://github.com/EthanKim88/ethan-cve-disclosures/blob/main/CVE-2025-69873-ajv-ReDoS.md
• NPM Advisory reference: - https://github.com/advisories/GHSA-2g4f-4pwh-qvx6
• NPM Advisory reference: - https://github.com/ajv-validator/ajv/commit/720a23fa453ffae8340e92c9b0fe886c54cfe0d5
• NPM Advisory reference: - https://github.com/ajv-validator/ajv/pull/2586
• NPM Advisory reference: - https://github.com/ajv-validator/ajv/pull/2588
• NPM Advisory reference: - https://github.com/ajv-validator/ajv/releases/tag/v6.14.0
• NPM Advisory reference: - https://github.com/ajv-validator/ajv/releases/tag/v8.18.0
• NPM Advisory reference: - https://nvd.nist.gov/vuln/detail/CVE-2025-69873

Vulnerable Software & Versions (NPM):

• cpe:2.3:a:*:ajv:\<6.14.0:*:*:*:*:*:*:*

• pkg:npm/hono  (Confidence:Highest)

GHSA-gq3j-xvxp-8hrf (NPM)  suppress

## Summary

The `basicAuth` and `bearerAuth` middlewares previously used a comparison that was not fully timing-safe.

The `timingSafeEqual` function used normal string equality (`===`) when comparing hash values. This comparison may stop early if values differ, which can theoretically cause small timing differences.

The implementation has been updated to use a safer comparison method.


## Details

The issue was caused by the use of normal string equality (`===`) when comparing hash values inside the `timingSafeEqual` function.

In JavaScript, string comparison may stop as soon as a difference is found. This means the comparison time can slightly vary depending on how many characters match.

Under very specific and controlled conditions, this behavior could theoretically allow timing-based analysis.

The implementation has been updated to:

- Avoid early termination during comparison
- Use a constant-time-style comparison method

## Impact

This issue is unlikely to be exploited in normal environments.

It may only be relevant in highly controlled situations where precise timing measurements are possible.

This change is considered a security hardening improvement. Users are encouraged to upgrade to the latest version.

• Base Score: LOW (3.700000047683716)
• Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

• Severity: low

• NPM Advisory reference: - https://github.com/advisories/GHSA-gq3j-xvxp-8hrf
• NPM Advisory reference: - https://github.com/honojs/hono/commit/91def7cab654bad5eecc9270e6620d577971ff5e
• NPM Advisory reference: - https://github.com/honojs/hono/releases/tag/v4.11.10
• NPM Advisory reference: - https://github.com/honojs/hono/security/advisories/GHSA-gq3j-xvxp-8hrf

Vulnerable Software & Versions (NPM):

• cpe:2.3:a:*:hono:\<4.11.10:*:*:*:*:*:*:*

• pkg:npm/minimatch  (Confidence:Highest)

GHSA-3ppc-4f35-3m26 (NPM)  suppress

### Summary
`minimatch` is vulnerable to Regular Expression Denial of Service (ReDoS) when a glob pattern contains many consecutive `*` wildcards followed by a literal character that doesn't appear in the test string. Each `*` compiles to a separate `[^/]*?` regex group, and when the match fails, V8's regex engine backtracks exponentially across all possible splits.

The time complexity is O(4^N) where N is the number of `*` characters. With N=15, a single `minimatch()` call takes ~2 seconds. With N=34, it hangs effectively forever.


### Details
_Give all details on the vulnerability. Pointing to the incriminated source code is very helpful for the maintainer._

### PoC
When minimatch compiles a glob pattern, each `*` becomes `[^/]*?` in the generated regex. For a pattern like `***************X***`:

```
/^(?!\.)[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?[^/]*?X[^/]*?[^/]*?[^/]*?$/
```

When the test string doesn't contain `X`, the regex engine must try every possible way to distribute the characters across all the `[^/]*?` groups before concluding no match exists. With N groups and M characters, this is O(C(N+M, N)) — exponential.
### Impact
Any application that passes user-controlled strings to `minimatch()` as the pattern argument is vulnerable to DoS. This includes:
- File search/filter UIs that accept glob patterns
- `.gitignore`-style filtering with user-defined rules
- Build tools that accept glob configuration
- Any API that exposes glob matching to untrusted input

----

Thanks to @ljharb for back-porting the fix to legacy versions of minimatch.

• Severity: high

• NPM Advisory reference: - https://github.com/advisories/GHSA-3ppc-4f35-3m26
• NPM Advisory reference: - https://github.com/isaacs/minimatch/commit/2e111f3a79abc00fa73110195de2c0f2351904f5
• NPM Advisory reference: - https://github.com/isaacs/minimatch/security/advisories/GHSA-3ppc-4f35-3m26
• NPM Advisory reference: - https://nvd.nist.gov/vuln/detail/CVE-2026-26996

Vulnerable Software & Versions (NPM):

• cpe:2.3:a:*:minimatch:\>\=9.0.0\<9.0.6:*:*:*:*:*:*:*