@octokit/request has a Regular Expression in fetchWrapper that Leads to ReDoS Vulnerability Due to Catastrophic Backtrac
- Severity:
- Medium
Description
The regular expression /<([^>]+)>; rel="deprecation"/ used to match the link header in HTTP responses is vulnerable to a ReDoS (Regular Expression Denial of Service) attack. This vulnerability arises due to the unbounded nature of the regex’s matching behavior, which can lead to catastrophic backtracking when processing specially crafted input.
Recommendation
Update the @octokit/request package to the latest compatible version. Followings are version details:
Affected version(s): **>= 1.0.0, < 8.4.1 >= 9.0.0-beta.1, < 9.2.1** Patched version(s): **8.4.1 9.2.1**
References
Related Issues
- Vega Cross-Site Scripting (XSS) via expressions abusing toString calls in environments using the VEGA_DEBUG global varia - CVE-2025-59840
- webpack-dev-server users' source code may be stolen when they access a malicious web site with non-Chromium based browse - CVE-2025-30360
- Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability (GHSA-m5vv-6r4h-3vj9) - CVE-2024-35255
- tiny-secp256k1 vulnerable to private key extraction when signing a malicious JSON-stringifyable message in bundled envir - CVE-2024-49364
- Tags:
- npm
- @octokit/request
Anything's wrong? Let us know Last updated on February 18, 2025