Medium severity5.3OSV Advisory· Published Feb 14, 2025· Updated Apr 15, 2026
CVE-2025-25288
CVE-2025-25288
Description
@octokit/plugin-paginate-rest is the Octokit plugin to paginate REST API endpoint responses. For versions starting in 1.0.0 and prior to 11.4.1 of the npm package @octokit/plugin-paginate-rest, when calling octokit.paginate.iterator(), a specially crafted octokit instance—particularly with a malicious link parameter in the headers section of the request—can trigger a ReDoS attack. Version 11.4.1 contains a fix for the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@octokit/plugin-paginate-restnpm | >= 9.3.0-beta.1, < 11.4.1 | 11.4.1 |
@octokit/plugin-paginate-restnpm | >= 1.0.0, < 9.2.2 | 9.2.2 |
Affected products
14- Range: v1.0.0, v1.0.1, v1.0.2, …
- osv-coords13 versionspkg:apk/chainguard/lernapkg:apk/chainguard/prismpkg:apk/chainguard/renovatepkg:apk/chainguard/tileserver-glpkg:apk/chainguard/tileserver-gl-compatpkg:apk/chainguard/tileserver-gl-fipspkg:apk/chainguard/tileserver-gl-fips-compatpkg:apk/wolfi/lernapkg:apk/wolfi/prismpkg:apk/wolfi/renovatepkg:apk/wolfi/tileserver-glpkg:apk/wolfi/tileserver-gl-compatpkg:npm/%40octokit/plugin-paginate-rest
< 8.2.1-r0+ 12 more
- (no CPE)range: < 8.2.1-r0
- (no CPE)range: < 5.14.3-r8
- (no CPE)range: < 39.175.6-r0
- (no CPE)range: < 5.4.0-r2
- (no CPE)range: < 5.4.0-r2
- (no CPE)range: < 5.4.0-r2
- (no CPE)range: < 5.4.0-r3
- (no CPE)range: < 8.2.1-r0
- (no CPE)range: < 5.14.3-r8
- (no CPE)range: < 39.175.6-r0
- (no CPE)range: < 5.4.0-r2
- (no CPE)range: < 5.4.0-r2
- (no CPE)range: >= 9.3.0-beta.1, < 11.4.1
Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-h5c3-5r3r-rr8qghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-25288ghsaADVISORY
- github.com/octokit/plugin-paginate-rest.js/blob/main/src/iterator.tsnvdWEB
- github.com/octokit/plugin-paginate-rest.js/commit/bb6c4f945d8023902cf387391d2b2209261044abnvdWEB
- github.com/octokit/plugin-paginate-rest.js/releases/tag/v9.2.2ghsaWEB
- github.com/octokit/plugin-paginate-rest.js/security/advisories/GHSA-h5c3-5r3r-rr8qnvdWEB
News mentions
0No linked articles in our index yet.