@octokit/plugin-paginate-rest has a Regular Expression in iterator Leads to ReDoS Vulnerability Due to Catastrophic Back

Description

For the npm package @octokit/plugin-paginate-rest, when calling octokit.paginate.iterator(), a specially crafted octokit instance—particularly with a malicious link parameter in the headers section of the request—can trigger a ReDoS attack.

Recommendation

Update the @octokit/plugin-paginate-rest package to the latest compatible version. Followings are version details:

• Affected version(s): **>= 1.0.0, < 9.2.2

  >= 9.3.0-beta.1, < 11.4.1**

• Patched version(s): **9.2.2

  11.4.1**

References

• GHSA-h5c3-5r3r-rr8q
• CVE-2025-25288
• CWE-1333
• CAPEC-310
• OWASP 2021-A6

Related Issues

• Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability (GHSA-m5vv-6r4h-3vj9) - CVE-2024-35255
• webpack-dev-server users' source code may be stolen when they access a malicious web site with non-Chromium based browse - CVE-2025-30360
• @octokit/request has a Regular Expression in fetchWrapper that Leads to ReDoS Vulnerability Due to Catastrophic Backtrac - CVE-2025-25290
• @octokit/request-error has a Regular Expression in index that Leads to ReDoS Vulnerability Due to Catastrophic Backtrack - CVE-2025-25289

Tags:

npm

@octokit/plugin-paginate-rest