@octokit/plugin-paginate-rest has a Regular Expression in iterator Leads to ReDoS Vulnerability Due to Catastrophic Back
- Severity:
- Medium
Description
For the npm package @octokit/plugin-paginate-rest, when calling octokit.paginate.iterator(), a specially crafted octokit instance—particularly with a malicious link parameter in the headers section of the request—can trigger a ReDoS attack.
Recommendation
Update the @octokit/plugin-paginate-rest package to the latest compatible version. Followings are version details:
Affected version(s): **>= 1.0.0, < 9.2.2 >= 9.3.0-beta.1, < 11.4.1** Patched version(s): **9.2.2 11.4.1**
References
Related Issues
- @octokit/endpoint has a Regular Expression in parse that Leads to ReDoS Vulnerability Due to Catastrophic Backtracking - CVE-2025-25285
- @octokit/request has a Regular Expression in fetchWrapper that Leads to ReDoS Vulnerability Due to Catastrophic Backtrac - CVE-2025-25290
- @octokit/request-error has a Regular Expression in index that Leads to ReDoS Vulnerability Due to Catastrophic Backtrack - CVE-2025-25289
- tarteaucitron.js has Regular Expression Denial of Service (ReDoS) vulnerability - CVE-2026-22809
- Tags:
- npm
- @octokit/plugin-paginate-rest
Anything's wrong? Let us know Last updated on February 18, 2025