Bug 2345822 (CVE-2025-25288) - CVE-2025-25288 octokit/plugin-paginate-rest: @octokit/plugin-paginate-rest has a Regular Expression in iterator that Leads to ReDoS Vulnerability Due to Catastrophic Backtracking
Summary: CVE-2025-25288 octokit/plugin-paginate-rest: @octokit/plugin-paginate-rest ha...
Keywords:
Status: NEW
Alias: CVE-2025-25288
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-02-14 20:01 UTC by OSIDB Bzimport
Modified: 2025-05-06 08:29 UTC (History)
52 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2025-02-14 20:01:14 UTC 
@octokit/plugin-paginate-rest is the Octokit plugin to paginate REST API endpoint responses. For versions starting in 1.0.0 and prior to 11.4.1 of the npm package `@octokit/plugin-paginate-rest`, when calling `octokit.paginate.iterator()`, a specially crafted `octokit` instance—particularly with a malicious `link` parameter in the `headers` section of the `request`—can trigger a ReDoS attack. Version 11.4.1 contains a fix for the issue.
Note You need to log in before you can comment on or make changes to this bug.