VYPR
Medium severity5.3OSV Advisory· Published Feb 14, 2025· Updated Apr 15, 2026

CVE-2025-25289

CVE-2025-25289

Description

@octokit/request-error is an error class for Octokit request errors. Starting in version 1.0.0 and prior to version 6.1.7, a Regular Expression Denial of Service (ReDoS) vulnerability exists in the processing of HTTP request headers. By sending an authorization header containing an excessively long sequence of spaces followed by a newline and "@", an attacker can exploit inefficient regular expression processing, leading to excessive resource consumption. This can significantly degrade server performance or cause a denial-of-service (DoS) condition, impacting availability. Version 6.1.7 contains a fix for the issue.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
@octokit/request-errornpm
>= 1.0.0, < 5.1.15.1.1
@octokit/request-errornpm
>= 6.0.0, < 6.1.76.1.7

Affected products

14

Patches

Vulnerability mechanics

References

5

News mentions

0

No linked articles in our index yet.