CVE-2025-25285 - Regular Expression Denial-of-Service (ReDoS) Vulnerability in @octokit/endpoint

The npm package @octokit/endpoint turns REST API endpoints into generic request options, facilitating developers to integrate with RESTful APIs. However, a potential security vulnerability has been detected in versions 4.1. to 10.1.2, leaving these versions susceptible to a regular expression denial-of-service (ReDoS) attack. In this post, we will dissect this vulnerability by discussing its origin and exploit, and then demonstrate how developers using the affected versions can mitigate this security risk.

Vulnerability Details

The security issue occurs in the parse function within the parse.ts file of the npm package @octokit/endpoint. By crafting specific options parameters, the endpoint.parse(options) call can be triggered, leading to a ReDoS attack. This causes the program to hang and consume high CPU resources, resulting in a denial-of-service condition.

To better understand the issue, let's take a look at the vulnerable code snippet

function parse(options) {
    // The regex pattern can be exploited, causing high CPU utilization
    var match = /^([^:]+:\/\/[^/]+)?([^?#]+)?(\?[^#]*)?(#.*)?$/.exec(options.url);

    if (!match) {
        throw new Error(Invalid URL: ${options.url});
    }

    // More code...
}

In the above code, the regex pattern is susceptive to exploitation, resulting in high CPU utilization and potentially causing a denial-of-service condition.

The vulnerability, CVE-2025-25285, has been recorded in the following references

- GitHub Issue
- Official Advisory
- Vulnerability Details on CVE Database

Exploit Details

An attacker can exploit this vulnerability by crafting specific options parameters to trigger the endpoint.parse(options) call. This will cause the regular expression to take an excessive amount of time to complete, leading to high CPU utilization and ultimately causing a denial-of-service condition.

Mitigation

To protect your application from this vulnerability, it is advised to update @octokit/endpoint to version 10.1.3 or later, which contains a patch for the issue. To update the package, run the following command:

npm install @octokit/endpoint@^10.1.3

It's important to always stay updated with the latest package versions and follow best practices for dependency management. This will ensure that your application remains resilient against security vulnerabilities and provides the best user experience possible.

Additionally, you may want to check the Snyk Security Advisory for further information on this vulnerability and follow the recommended steps to secure your application.

Conclusion

The CVE-2025-25285 vulnerability in the @octokit/endpoint package poses a significant security risk for users of the affected versions. By understanding the exploit, updating to a patched version, and maintaining proper dependency management, developers can maintain a more secure and stable application environment.

Timeline

Published on: 02/14/2025 20:15:34 UTC