CVE-2025-25289 - ReDoS Vulnerability in @octokit/request-error Library Affecting Versions Prior to 6.1.7

@octokit/request-error is a popular error class for handling Octokit request errors. A critical security vulnerability, specifically a Regular Expression Denial of Service (ReDoS), has been identified in versions 1.. up to 6.1.6 of the library. This vulnerability occurs in the processing of HTTP request headers and may lead to a significant impact on server performance or even a denial-of-service (DoS) condition.

In this post, we will discuss the details of the vulnerability (CVE-2025-25289), explain the exploit, and provide recommended steps for mitigation.

Vulnerability Details

An attacker exploiting this vulnerability can send an authorization header containing an exceptionally long sequence of spaces followed by a newline character and "@". Due to inefficient regular expression processing in the affected library versions, this can result in excessive resource consumption.

Here's an example of the malicious payload

Authorization: Bearer                                          ...
                                                                 @

The library's problematic regular expression can be found in the RequestError.js file

const regex = /\s*(?: *, *)\s*([a-z][_a-z\d]*)((?: *= *"(?:\\"|[^"])*"|(?: *, *)?(?: *= *[^,"]*))?)?/gi;

This regular expression is used to parse HTTP request headers, such as the authorization header, causing the ReDoS vulnerability.

Code Snippet

In order to exploit this vulnerability, an attacker could craft a malicious request using an excessively long sequence of spaces, newline character, and "@" as shown below:

fetch("https://api.example.com/sensitiveData";, {
  headers: {
    authorization:
      "Bearer " +
      " ".repeat(100000) +
      "\n" +
      "@",
  },
});

Original References

This vulnerability was first reported on GitHub by security researcher. You can read the original issue for more information and the CVE-2025-25289 entry on the MITRE website.

Exploit Details

When a server running a vulnerable version of @octokit/request-error processes a malicious HTTP header, it spends an excessive amount of time processing the aforementioned regular expression. As a result, server resources are drained, leading to a significant degradation in performance. If the attacker sends multiple such requests, it can result in a denial-of-service (DoS) condition, rendering the server unavailable for legitimate users.

Mitigation

To address this vulnerability, update your @octokit/request-error library to version 6.1.7 or later, which includes a fix for the issue. You can update the library using your preferred package manager, such as npm or yarn:

npm update @octokit/request-error --depth 6

or

yarn upgrade @octokit/request-error@6.1.7

Additional Recommendations

- Always be vigilant when using regular expressions in your code, as inefficient regex patterns can lead to ReDoS vulnerabilities.
- Regularly update your dependencies, keeping them up to date with the latest security patches and improvements.
- Subscribe to notifications for security advisories related to the libraries and frameworks you use, ensuring prompt awareness of potential vulnerabilities.

Conclusion

CVE-2025-25289 is a critical Regular Expression Denial of Service (ReDoS) vulnerability in @octokit/request-error library versions 1.. up to 6.1.6. Upgrading to version 6.1.7 or newer mitigates the issue. Always be on the lookout for security advisories related to your dependencies, and consider incorporating regular dependency updates into your development workflow.

Timeline

Published on: 02/14/2025 20:15:35 UTC