CVE-2025-25290: ReDoS Vulnerability in @octokit/request Affecting Version 1.. to 9.2.

Content:
@octokit/request is widely used for performing parameterized requests to GitHub's APIs with reasonable defaults in both browsers and Node.js environments. However, a recent vulnerability has been discovered in versions 1.. up to and including version 9.2.. This vulnerability, CVE-2025-25290, concerns a ReDoS (Regular Expression Denial of Service) attack that can be triggered due to an unsafe regular expression in the library.

The problematic regular expression, which appears as /<([^>]+)>; rel="deprecation"/, was designed to match the link header in HTTP responses from GitHub's API. Due to its unbounded matching behavior, this regex is vulnerable to catastrophic backtracking when handling malicious or specially crafted input.

Code snippet

const regex = /<([^>]+)>; rel="deprecation"/;
const match = regex.exec(someHTTPHeader);

if (match) {
  // Process the deprecation information
} else {
  // No deprecation information, continue processing
}

Exploiting this vulnerability requires an attacker to send a strategically crafted HTTP link header that triggers excessive CPU usage. This can eventually cause the server to become unresponsive and affect the overall service availability.

To help illustrate the exploit, consider the following example of a malicious link header

link: <<<<<<<<<<<<<<<<<<<<<<<...>; rel="deprecation"

Original references

- @octokit/request changelog: https://github.com/octokit/request/releases
- GitHub commit addressing the issue: https://github.com/octokit/request/commit/6d73409d2aac722d7cfa4313a6acd1492fdfb787

Adjusted code to better handle potential edge cases

In light of this discovery and potential exploit, it is strongly recommended that users of @octokit/request upgrade to version 9.2.1 or later to ensure the safety and reliability of their applications.

To upgrade, simply update your project's dependencies

npm install @octokit/request@9.2.1

or

yarn add @octokit/request@9.2.1

By taking this step, you not only address the CVE-2025-25290 vulnerability but also benefit from the performance improvements and additional safeguards introduced in the latest version of the library. Stay safe and happy coding!

Timeline

Published on: 02/14/2025 20:15:35 UTC