CVE-2025-25290

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact LOW

Scope UNCHANGED

octokit/request sends parameterized requests to GitHub’s APIs with sensible defaults in browsers and Node. Starting in version 1.0.0 and prior to versions 9.2.1 and 8.4.1, the regular expression `/<([^>]+)>; rel="deprecation"/` used to match the `link` header in HTTP responses is vulnerable to a ReDoS (Regular Expression Denial of Service) attack. This vulnerability arises due to the unbounded nature of the regex's matching behavior, which can lead to catastrophic backtracking when processing specially crafted input. An attacker could exploit this flaw by sending a malicious `link` header, resulting in excessive CPU usage and potentially causing the server to become unresponsive, impacting service availability. Versions 9.2.1 and 8.4.1 fix the issue.

References

Link	Resource
https://github.com/octokit/request.js/commit/34ff07ee86fc5c20865982d77391bc910ef19c68
https://github.com/octokit/request.js/commit/356411e3217019aa9fc8a68f4236af82490873c2
https://github.com/octokit/request.js/commit/6bb29ba92a52f7bf94469c3433707c682c17126c
https://github.com/octokit/request.js/releases/tag/v8.4.1
https://github.com/octokit/request.js/releases/tag/v9.2.1
https://github.com/octokit/request.js/security/advisories/GHSA-rmvr-2pp2-xj38

Configurations

No configuration.

History

16 Jan 2026, 18:16

Type	Values Removed	Values Added
References		() https://github.com/octokit/request.js/commit/356411e3217019aa9fc8a68f4236af82490873c2 - () https://github.com/octokit/request.js/commit/6bb29ba92a52f7bf94469c3433707c682c17126c - () https://github.com/octokit/request.js/releases/tag/v8.4.1 - () https://github.com/octokit/request.js/releases/tag/v9.2.1 -
Summary		(es) @octokit/request envía solicitudes parametrizadas a las API de GitHub con valores predeterminados razonables en los navegadores y Node. A partir de la versión 1.0.0 y antes de la versión 9.2.1, la expresión regular `/<([^>]+)>; rel="deprecation"/` utilizada para hacer coincidir el encabezado `link` en las respuestas HTTP es vulnerable a un ataque ReDoS (denegación de servicio de expresión regular). Esta vulnerabilidad surge debido a la naturaleza ilimitada del comportamiento de coincidencia de la expresión regular, que puede provocar un retroceso catastrófico al procesar una entrada especialmente manipulada. Un atacante podría explotar esta falla enviando un encabezado `link` malicioso, lo que resultaría en un uso excesivo de la CPU y potencialmente causaría que el servidor dejara de responder, lo que afectaría la disponibilidad del servicio. La versión 9.2.1 corrige el problema.
Summary	(en) @octokit/request sends parameterized requests to GitHub’s APIs with sensible defaults in browsers and Node. Starting in version 1.0.0 and prior to version 9.2.1, the regular expression `/<([^>]+)>; rel="deprecation"/` used to match the `link` header in HTTP responses is vulnerable to a ReDoS (Regular Expression Denial of Service) attack. This vulnerability arises due to the unbounded nature of the regex's matching behavior, which can lead to catastrophic backtracking when processing specially crafted input. An attacker could exploit this flaw by sending a malicious `link` header, resulting in excessive CPU usage and potentially causing the server to become unresponsive, impacting service availability. Version 9.2.1 fixes the issue.	(en) @octokit/request sends parameterized requests to GitHub’s APIs with sensible defaults in browsers and Node. Starting in version 1.0.0 and prior to versions 9.2.1 and 8.4.1, the regular expression `/<([^>]+)>; rel="deprecation"/` used to match the `link` header in HTTP responses is vulnerable to a ReDoS (Regular Expression Denial of Service) attack. This vulnerability arises due to the unbounded nature of the regex's matching behavior, which can lead to catastrophic backtracking when processing specially crafted input. An attacker could exploit this flaw by sending a malicious `link` header, resulting in excessive CPU usage and potentially causing the server to become unresponsive, impacting service availability. Versions 9.2.1 and 8.4.1 fix the issue.

14 Feb 2025, 20:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-02-14 20:15

Updated : 2026-01-16 18:16

NVD link : CVE-2025-25290

Mitre link : CVE-2025-25290

CVE.ORG link : CVE-2025-25290

JSON object : View

Products Affected

No product.

CWE

CWE-1333

Inefficient Regular Expression Complexity

5.3 /10