Unauthenticated Denial of Service in the octokit/webhooks library (GHSA-pwfr-8pq7-x9qv) 2
- Severity:
- High
Description
Versions v9.26.0, v10.9.x), v11.1.x, v12.0.x all contained the code that would throw the error.
Specifically, during a pentest we encountered a bug in the octokit/webhooks library (a dependency of Probot, a framework for building Github Apps). The resulting request was found to cause an uncaught exception that ends the nodejs process.
Recommendation
Update the @octokit/webhooks package to the latest compatible version. Followings are version details:
Affected version(s): **>= 12.0.0, < 12.0.3 >= 11.0.0, < 11.1.2 >= 10.0.0, < 10.9.2 < 9.26.3** Patched version(s): **12.0.3 11.1.2 10.9.2 9.26.3**
References
Related Issues
- webpack-dev-server users' source code may be stolen when they access a malicious web site - CVE-2025-30359
- matrix-js-sdk has insufficient MXC URI validation which allows client-side path traversal - CVE-2024-50336
- Vite before v2.9.13 vulnerable to directory traversal via crafted URL to victim's service - CVE-2022-35204
- method-override ReDoS when untrusted user input passed into X-HTTP-Method-Override header - CVE-2017-16136
- Tags:
- npm
- @octokit/webhooks
Anything's wrong? Let us know Last updated on December 16, 2023