VYPR
Medium severity5.3OSV Advisory· Published Feb 14, 2025· Updated Apr 15, 2026

CVE-2025-25290

CVE-2025-25290

Description

@octokit/request sends parameterized requests to GitHub’s APIs with sensible defaults in browsers and Node. Starting in version 1.0.0 and prior to versions 9.2.1 and 8.4.1, the regular expression /<([^>]+)>; rel="deprecation"/ used to match the link header in HTTP responses is vulnerable to a ReDoS (Regular Expression Denial of Service) attack. This vulnerability arises due to the unbounded nature of the regex's matching behavior, which can lead to catastrophic backtracking when processing specially crafted input. An attacker could exploit this flaw by sending a malicious link header, resulting in excessive CPU usage and potentially causing the server to become unresponsive, impacting service availability. Versions 9.2.1 and 8.4.1 fix the issue.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
@octokit/requestnpm
>= 9.0.0-beta.1, < 9.2.19.2.1
@octokit/requestnpm
>= 1.0.0, < 8.4.18.4.1

Affected products

14

Patches

Vulnerability mechanics

References

8

News mentions

0

No linked articles in our index yet.