@octokit/request has a Regular Expression in fetchWrapper that Leads to ReDoS Vulnerability Due to Catastrophic Backtrac

Description

The regular expression /<([^>]+)>; rel="deprecation"/ used to match the link header in HTTP responses is vulnerable to a ReDoS (Regular Expression Denial of Service) attack. This vulnerability arises due to the unbounded nature of the regex’s matching behavior, which can lead to catastrophic backtracking when processing specially crafted input.

Recommendation

Update the @octokit/request package to the latest compatible version. Followings are version details:

• Affected version(s): **>= 1.0.0, < 8.4.1

  >= 9.0.0-beta.1, < 9.2.1**

• Patched version(s): **8.4.1

  9.2.1**

References

• GHSA-rmvr-2pp2-xj38
• CVE-2025-25290
• CWE-1333
• CAPEC-310
• OWASP 2021-A6

Related Issues

• @octokit/request-error has a Regular Expression in index that Leads to ReDoS Vulnerability Due to Catastrophic Backtrack - CVE-2025-25289
• @octokit/endpoint has a Regular Expression in parse that Leads to ReDoS Vulnerability Due to Catastrophic Backtracking - CVE-2025-25285
• @octokit/plugin-paginate-rest has a Regular Expression in iterator Leads to ReDoS Vulnerability Due to Catastrophic Back - CVE-2025-25288
• tarteaucitron.js has Regular Expression Denial of Service (ReDoS) vulnerability - CVE-2026-22809

Tags:

npm

@octokit/request