CVE-2025-25289
Description
@octokit/request-error is an error class for Octokit request errors. Starting in version 1.0.0 and prior to version 6.1.7, a Regular Expression Denial of Service (ReDoS) vulnerability exists in the processing of HTTP request headers. By sending an authorization header containing an excessively long sequence of spaces followed by a newline and "@", an attacker can exploit inefficient regular expression processing, leading to excessive resource consumption. This can significantly degrade server performance or cause a denial-of-service (DoS) condition, impacting availability. Version 6.1.7 contains a fix for the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@octokit/request-errornpm | >= 1.0.0, < 5.1.1 | 5.1.1 |
@octokit/request-errornpm | >= 6.0.0, < 6.1.7 | 6.1.7 |
Affected products
14- Range: v1.0.0, v1.0.1, v1.0.2, …
- osv-coords13 versionspkg:apk/chainguard/lernapkg:apk/chainguard/prismpkg:apk/chainguard/renovatepkg:apk/chainguard/tileserver-glpkg:apk/chainguard/tileserver-gl-compatpkg:apk/chainguard/tileserver-gl-fipspkg:apk/chainguard/tileserver-gl-fips-compatpkg:apk/wolfi/lernapkg:apk/wolfi/prismpkg:apk/wolfi/renovatepkg:apk/wolfi/tileserver-glpkg:apk/wolfi/tileserver-gl-compatpkg:npm/%40octokit/request-error
< 8.2.1-r0+ 12 more
- (no CPE)range: < 8.2.1-r0
- (no CPE)range: < 5.14.3-r8
- (no CPE)range: < 39.174.0-r0
- (no CPE)range: < 5.4.0-r2
- (no CPE)range: < 5.4.0-r2
- (no CPE)range: < 5.4.0-r2
- (no CPE)range: < 5.4.0-r3
- (no CPE)range: < 8.2.1-r0
- (no CPE)range: < 5.14.3-r8
- (no CPE)range: < 39.174.0-r0
- (no CPE)range: < 5.4.0-r2
- (no CPE)range: < 5.4.0-r2
- (no CPE)range: >= 1.0.0, < 5.1.1
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-xx4v-prfh-6cgcghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-25289ghsaADVISORY
- github.com/octokit/request-error.js/blob/main/src/index.tsnvdWEB
- github.com/octokit/request-error.js/commit/d558320874a4bc8d356babf1079e6f0056a59b9envdWEB
- github.com/octokit/request-error.js/security/advisories/GHSA-xx4v-prfh-6cgcnvdWEB
News mentions
0No linked articles in our index yet.