CVE-2025-25290
@octokit/request has a Regular Expression in fetchWrapper that Leads to ReDoS Vulnerability Due to Catastrophic Backtracking
Vexday Risk Score
13Baixo
Decisão SSVC (CISA)
Track
Sem sinal de exploração → monitorar
CVSS 5.3EPSS 0.7%KEV nãoPoC —Nuclei —Metasploit —Patch —
Ciclo de vida
14 fev 2025Publicada no NVD
Recomendação: Monitorar — sem sinal de exploração no momento.
@octokit/request sends parameterized requests to GitHub’s APIs with sensible defaults in browsers and Node. Starting in version 1.0.0 and prior to versions 9.2.1 and 8.4.1, the regular expression `/<([^>]+)>; rel="deprecation"/` used to match the `link` header in HTTP responses is vulnerable to a ReDoS (Regular Expression Denial of Service) attack. This vulnerability arises due to the unbounded nature of the regex's matching behavior, which can lead to catastrophic backtracking when processing specially crafted input. An attacker could exploit this flaw by sending a malicious `link` header, resulting in excessive CPU usage and potentially causing the server to become unresponsive, impacting service availability. Versions 9.2.1 and 8.4.1 fix the issue.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Produtos afetados
octokit · request.jsQuer saber se a sua infraestrutura está exposta a isto?
Falar com a TrueHacking →Referências
https://github.com/octokit/request.js/commit/34ff07ee86fc5c20865982d77391bc910ef19c68https://github.com/octokit/request.js/commit/356411e3217019aa9fc8a68f4236af82490873c2https://github.com/octokit/request.js/commit/6bb29ba92a52f7bf94469c3433707c682c17126chttps://github.com/octokit/request.js/releases/tag/v8.4.1https://github.com/octokit/request.js/releases/tag/v9.2.1https://github.com/octokit/request.js/security/advisories/GHSA-rmvr-2pp2-xj38