@octokit/request-error has a Regular Expression in index that Leads to ReDoS Vulnerability Due to Catastrophic Backtrack

Severity:: Medium

Description

A Regular Expression Denial of Service (ReDoS) vulnerability exists in the processing of HTTP request headers. By sending an authorization header containing an excessively long sequence of spaces followed by a newline and “@”, an attacker can exploit inefficient regular expression processing, leading to excessive resource consumption.

Recommendation

Update the @octokit/request-error package to the latest compatible version. Followings are version details:

Affected version(s): **>= 6.0.0, < 6.1.7 >= 1.0.0, < 5.1.1**
Patched version(s): **6.1.7 5.1.1**

References

GHSA-xx4v-prfh-6cgc
CVE-2025-25289
CWE-1333
CAPEC-310
OWASP 2021-A6

Related Issues

@octokit/request has a Regular Expression in fetchWrapper that Leads to ReDoS Vulnerability Due to Catastrophic Backtrac - CVE-2025-25290
@octokit/endpoint has a Regular Expression in parse that Leads to ReDoS Vulnerability Due to Catastrophic Backtracking - CVE-2025-25285
@octokit/plugin-paginate-rest has a Regular Expression in iterator Leads to ReDoS Vulnerability Due to Catastrophic Back - CVE-2025-25288
tarteaucitron.js has Regular Expression Denial of Service (ReDoS) vulnerability - CVE-2026-22809

Tags:: npm; @octokit/request-error

Anything's wrong? Let us know Last updated on February 14, 2025