@octokit/request has a Regular Expression in fetchWrapper that Leads to ReDoS Vulnerability Due to Catastrophic Backtrac
- Severity:
- Medium
Description
The regular expression /<([^>]+)>; rel="deprecation"/ used to match the link header in HTTP responses is vulnerable to a ReDoS (Regular Expression Denial of Service) attack. This vulnerability arises due to the unbounded nature of the regex’s matching behavior, which can lead to catastrophic backtracking when processing specially crafted input.
Recommendation
Update the @octokit/request package to the latest compatible version. Followings are version details:
Affected version(s): **>= 1.0.0, < 8.4.1 >= 9.0.0-beta.1, < 9.2.1** Patched version(s): **8.4.1 9.2.1**
References
Related Issues
- Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability (GHSA-m5vv-6r4h-3vj9) - CVE-2024-35255
- webpack-dev-server users' source code may be stolen when they access a malicious web site with non-Chromium based browse - CVE-2025-30360
- @octokit/plugin-paginate-rest has a Regular Expression in iterator Leads to ReDoS Vulnerability Due to Catastrophic Back - CVE-2025-25288
- @octokit/request-error has a Regular Expression in index that Leads to ReDoS Vulnerability Due to Catastrophic Backtrack - CVE-2025-25289
- Tags:
- npm
- @octokit/request
Anything's wrong? Let us know Last updated on February 18, 2025