Description
npm audit reports a moderate severity vulnerability CVE-2025-69873 (GHSA-2g4f-4pwh-qvx6) in the dependency [email protected], released in Jan 2023
Library version
14.2.5
Node version
v24.13.1
Steps to reproduce
Ubuntu 24.04.4 LTS, Node.js 24.13.1 LTS
cd $(mktemp -d)
npm install serve
npm audit
Logs
$ npm audit
# npm audit report
ajv <8.18.0
Severity: moderate
ajv has ReDoS when using `$data` option - https://github.com/advisories/GHSA-2g4f-4pwh-qvx6
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/ajv
serve >=7.0.0
Depends on vulnerable versions of ajv
node_modules/serve
2 moderate severity vulnerabilities
To address all issues (including breaking changes), run:
npm audit fix --force
Assessment
Executing the following is unable to remediate the vulnerability:
[email protected] is pinned to [email protected]
Recommendation
Bump [email protected] to [email protected] (or above) in dependencies of serve and release a new version.
Description
npm audit reports a moderate severity vulnerability CVE-2025-69873 (GHSA-2g4f-4pwh-qvx6) in the dependency [email protected], released in Jan 2023
Library version
14.2.5Node version
v24.13.1Steps to reproduce
Ubuntu 24.04.4 LTS, Node.js 24.13.1 LTS
Logs
Assessment
Executing the following is unable to remediate the vulnerability:
[email protected] is pinned to [email protected]
Recommendation
Bump [email protected] to [email protected] (or above) in dependencies of serve and release a new version.