Inefficient Regular Expression Complexity Affecting anythingllm-oci-entrypoint package, versions *


Severity

Recommended
low

Based on default assessment until relevant scores are available.

Threat Intelligence

EPSS
0.49% (39th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-MINIMOSLATEST-ANYTHINGLLMOCIENTRYPOINT-16339190
  • published2 May 2026
  • disclosed11 Feb 2026

Introduced: 11 Feb 2026

CVE-2025-69873  (opens in a new tab)
CWE-1333  (opens in a new tab)

How to fix?

There is no fixed version for Minimos:latest anythingllm-oci-entrypoint.

NVD Description

Note: Versions mentioned in the description apply only to the upstream anythingllm-oci-entrypoint package and not the anythingllm-oci-entrypoint package as distributed by Minimos. See How to fix? for Minimos:latest relevant fixed versions and status.

ajv (Another JSON Schema Validator) before 8.18.0 is vulnerable to Regular Expression Denial of Service (ReDoS) when the $data option is enabled. The pattern keyword accepts runtime data via JSON Pointer syntax ($data reference), which is passed directly to the JavaScript RegExp() constructor without validation. An attacker can inject a malicious regex pattern (e.g., "^(a|a)*$") combined with crafted input to cause catastrophic backtracking. A 31-character payload causes approximately 44 seconds of CPU blocking, with each additional character doubling execution time. This enables complete denial of service with a single HTTP request against any API using ajv with $data: true for dynamic schema validation. This issue is also fixed in version 6.14.0.

CVSS Base Scores

version 3.1