CVE-2025-25289
Description
@octokit/request-error is an error class for Octokit request errors. Starting in version 1.0.0 and prior to version 6.1.7, a Regular Expression Denial of Service (ReDoS) vulnerability exists in the processing of HTTP request headers. By sending an authorization header containing an excessively long sequence of spaces followed by a newline and "@", an attacker can exploit inefficient regular expression processing, leading to excessive resource consumption. This can significantly degrade server performance or cause a denial-of-service (DoS) condition, impacting availability. Version 6.1.7 contains a fix for the issue.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@octokit/request-errornpm | >= 1.0.0, < 5.1.1 | 5.1.1 |
@octokit/request-errornpm | >= 6.0.0, < 6.1.7 | 6.1.7 |
Patches
2c346f5cf3ee9d558320874a4Merge commit from fork
2 files changed · +35 −1
src/index.ts+1 −1 modified@@ -49,7 +49,7 @@ export class RequestError extends Error { if (options.request.headers.authorization) { requestCopy.headers = Object.assign({}, options.request.headers, { authorization: options.request.headers.authorization.replace( - / .*$/, + /(?<! ) .*$/, " [REDACTED]", ), });
test/request-error.test.ts+34 −0 modified@@ -17,6 +17,40 @@ const mockOptions: RequestErrorOptions = { }; describe("RequestError", () => { + test("Test ReDoS - attack string", () => { + const startTime = performance.now(); + const error = new RequestError("Oops", 500, { + request: { + method: "POST", + url: "https://api.github.com/foo", + body: { + bar: "baz", + }, + headers: { + authorization: ""+" ".repeat(100000)+"\n@", + }, + }, + response: { + status: 500, + url: "https://api.github.com/foo", + headers: { + "x-github-request-id": "1:2:3:4", + }, + data: { + foo: "bar", + }, + }, + }); + const endTime = performance.now(); + const elapsedTime = endTime - startTime; + const reDosThreshold = 2000; + + expect(elapsedTime).toBeLessThanOrEqual(reDosThreshold); + if (elapsedTime > reDosThreshold) { + console.warn(`🚨 Potential ReDoS Attack! getDuration method took ${elapsedTime.toFixed(2)} ms, exceeding threshold of ${reDosThreshold} ms.`); + } + }); + test("inherits from Error", () => { const error = new RequestError("test", 123, mockOptions); expect(error).toBeInstanceOf(Error);
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-xx4v-prfh-6cgcghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-25289ghsaADVISORY
- github.com/octokit/request-error.js/blob/main/src/index.tsnvdWEB
- github.com/octokit/request-error.js/commit/d558320874a4bc8d356babf1079e6f0056a59b9envdWEB
- github.com/octokit/request-error.js/security/advisories/GHSA-xx4v-prfh-6cgcnvdWEB
News mentions
0No linked articles in our index yet.