CVE-2025-25288: ReDoS Attack via Malicious Link Parameter in Octokit Pagination Plugin

A vulnerability has been discovered in the Octokit Pagination plugin @octokit/plugin-paginate-rest, which allows for a Regular Expression Denial of Service (ReDoS) attack. The vulnerability affects versions between 1.. and 11.4.1 of the npm package @octokit/plugin-paginate-rest. By calling octokit.paginate.iterator() with a specifically crafted octokit instance, an attacker can trigger a ReDoS attack. The vulnerability has been patched in version 11.4.1.

Exploit Details

The vulnerability is found in the octokit.paginate.iterator() function implementation. When called with an octokit instance that has a malicious link parameter in the headers section of the request, the function's regular expression processing becomes susceptible to a ReDoS attack.

A sample exploit using the malicious link parameter would look like this

const { Octokit } = require("@octokit/core");
const { paginateRest } = require("@octokit/plugin-paginate-rest");

const MyOctokit = Octokit.plugin(paginateRest);
const octokit = new MyOctokit({
  auth: "personal-access-token"
});

const maliciousLinkHeader = "insert-malicious-link-here";

async function exploit() {
  const results = [];
  for await (const result of octokit.paginate.iterator({
    method: "GET",
    url: "/repos/:owner/:repo/issues",
    owner: "octocat",
    repo: "hello-world",
    request: {
      headers: {
        link: maliciousLinkHeader,
      },
    },
  })) {
    results.push(result);
  }
}
exploit();

Replace "insert-malicious-link-here" with the crafted malicious link.

Mitigation

The vulnerability has been fixed in version 11.4.1 of @octokit/plugin-paginate-rest. It is strongly recommended to update to the fixed version to prevent any potential ReDoS attacks.

To update the package, simply run

npm install @octokit/plugin-paginate-rest@11.4.1

For more information about the fixed version, you can refer to the package's GitHub repository: https://github.com/octokit/plugin-paginate-rest

Conclusion

CVE-2025-25288 highlights a ReDoS vulnerability present in widely used Octokit Pagination plugin @octokit/plugin-paginate-rest that can be exploited via a malicious link parameter value. Users who are using an affected version (between 1.. and 11.4.1) should immediately update to version 11.4.1 or later to patch the vulnerability.

Timeline

Published on: 02/14/2025 20:15:34 UTC