@octokit/endpoint has a Regular Expression in parse that Leads to ReDoS Vulnerability Due to Catastrophic Backtracking
- Severity:
- Medium
Description
By crafting specific options parameters, the endpoint.parse(options) call can be triggered, leading to a regular expression denial-of-service (ReDoS) attack. This causes the program to hang and results in high CPU utilization.
Recommendation
Update the @octokit/endpoint package to the latest compatible version. Followings are version details:
Affected version(s): **>= 10.0.0, < 10.1.3 >= 9.0.5, < 9.0.6** Patched version(s): **10.1.3 9.0.6**
References
Related Issues
- @octokit/request-error has a Regular Expression in index that Leads to ReDoS Vulnerability Due to Catastrophic Backtrack - CVE-2025-25289
- @octokit/request has a Regular Expression in fetchWrapper that Leads to ReDoS Vulnerability Due to Catastrophic Backtrac - CVE-2025-25290
- @octokit/plugin-paginate-rest has a Regular Expression in iterator Leads to ReDoS Vulnerability Due to Catastrophic Back - CVE-2025-25288
- tarteaucitron.js has Regular Expression Denial of Service (ReDoS) vulnerability - CVE-2026-22809
- Tags:
- npm
- @octokit/endpoint
Anything's wrong? Let us know Last updated on February 14, 2025