Medium severity5.3NVD Advisory· Published Feb 14, 2025· Updated Apr 15, 2026
CVE-2025-25288
CVE-2025-25288
Description
@octokit/plugin-paginate-rest is the Octokit plugin to paginate REST API endpoint responses. For versions starting in 1.0.0 and prior to 11.4.1 of the npm package @octokit/plugin-paginate-rest, when calling octokit.paginate.iterator(), a specially crafted octokit instance—particularly with a malicious link parameter in the headers section of the request—can trigger a ReDoS attack. Version 11.4.1 contains a fix for the issue.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@octokit/plugin-paginate-restnpm | >= 9.3.0-beta.1, < 11.4.1 | 11.4.1 |
@octokit/plugin-paginate-restnpm | >= 1.0.0, < 9.2.2 | 9.2.2 |
Patches
27d1fade7d425bb6c4f945d80Merge commit from fork
2 files changed · +33 −1
src/iterator.ts+1 −1 modified@@ -37,7 +37,7 @@ export function iterator( // '<https://api.github.com/users/aseemk/followers?page=2>; rel="next", <https://api.github.com/users/aseemk/followers?page=2>; rel="last"' // sets `url` to undefined if "next" URL is not present or `link` header is not set url = ((normalizedResponse.headers.link || "").match( - /<([^>]+)>;\s*rel="next"/, + /<([^<>]+)>;\s*rel="next"/, ) || [])[1]; return { value: normalizedResponse };
test/paginate.test.ts+32 −0 modified@@ -10,6 +10,38 @@ const ORG2 = { id: 2 }; const TestOctokit = Octokit.plugin(paginateRest, restEndpointMethods); describe("pagination", () => { + it("Test ReDoS - attack string", async () => { + const ReDosOctokit = Octokit.plugin(paginateRest); + const octokit = new ReDosOctokit({ + auth: "your-github-token", + }); + octokit.hook.wrap("request", async (request, options) => { + const maliciousLinkHeader = "" + "<".repeat(100000) + ">"; + return { + data: [], + headers: { + link: maliciousLinkHeader, + }, + }; + }); + const startTime = performance.now(); + try { + for await (const normalizedResponse of octokit.paginate.iterator( + "GET /repos/{owner}/{repo}/issues", { owner: "DayShift", repo: "ReDos", per_page: 100 } + )) {} + } catch (error) { + // pass + } + const endTime = performance.now(); + const elapsedTime = endTime - startTime; + const reDosThreshold = 2000; + + expect(elapsedTime).toBeLessThanOrEqual(reDosThreshold); + if (elapsedTime > reDosThreshold) { + console.warn(`🚨 Potential ReDoS Attack! getDuration method took ${elapsedTime.toFixed(2)} ms, exceeding threshold of ${reDosThreshold} ms.`); + } + }); + it(".paginate()", async () => { const mock = fetchMock .createInstance()
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-h5c3-5r3r-rr8qghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-25288ghsaADVISORY
- github.com/octokit/plugin-paginate-rest.js/blob/main/src/iterator.tsnvdWEB
- github.com/octokit/plugin-paginate-rest.js/commit/bb6c4f945d8023902cf387391d2b2209261044abnvdWEB
- github.com/octokit/plugin-paginate-rest.js/releases/tag/v9.2.2ghsaWEB
- github.com/octokit/plugin-paginate-rest.js/security/advisories/GHSA-h5c3-5r3r-rr8qnvdWEB
News mentions
0No linked articles in our index yet.