Bug 2345820 (CVE-2025-25285) - CVE-2025-25285 octokit/endpoint: @octokit/endpoint has a Regular Expression in parse that Leads to ReDoS Vulnerability Due to Catastrophic Backtracking
Summary: CVE-2025-25285 octokit/endpoint: @octokit/endpoint has a Regular Expression i...
Keywords:
Status: NEW
Alias: CVE-2025-25285
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-02-14 20:01 UTC by OSIDB Bzimport
Modified: 2025-05-06 08:28 UTC (History)
52 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2025-02-14 20:01:09 UTC 
@octokit/endpoint turns REST API endpoints into generic request options. Starting in version 4.1.0 and prior to version 10.1.3, by crafting specific `options` parameters, the `endpoint.parse(options)` call can be triggered, leading to a regular expression denial-of-service (ReDoS) attack. This causes the program to hang and results in high CPU utilization. The issue occurs in the `parse` function within the `parse.ts` file of the npm package `@octokit/endpoint`. Version 10.1.3 contains a patch for the issue.
Note You need to log in before you can comment on or make changes to this bug.