@octokit/endpoint has a Regular Expression in parse that Leads to ReDoS Vulnerability Due to Catastrophic Backtracking
- Severity:
- Medium
Description
By crafting specific options parameters, the endpoint.parse(options) call can be triggered, leading to a regular expression denial-of-service (ReDoS) attack. This causes the program to hang and results in high CPU utilization.
Recommendation
Update the @octokit/endpoint package to the latest compatible version. Followings are version details:
Affected version(s): **>= 10.0.0, < 10.1.3 >= 9.0.5, < 9.0.6** Patched version(s): **10.1.3 9.0.6**
References
Related Issues
- Opening a malicious website while running a Nuxt dev server could allow read-only access to code (GHSA-4gf7-ff8x-hq99) - CVE-2025-24361
- Opening a malicious website while running a Nuxt dev server could allow read-only access to code (GHSA-2452-6xj8-jh47) - CVE-2025-24360
- Parse Server before v3.4.1 vulnerable to Denial of Service - CVE-2019-1020012
- Incorrect default cookie name and recommendation - Vulnerability
- Tags:
- npm
- @octokit/endpoint
Anything's wrong? Let us know Last updated on February 14, 2025