Description

@octokit/endpoint turns REST API endpoints into generic request options. Starting in version 4.1.0 and prior to version 10.1.3, by crafting specific `options` parameters, the `endpoint.parse(options)` call can be triggered, leading to a regular expression denial-of-service (ReDoS) attack. This causes the program to hang and results in high CPU utilization. The issue occurs in the `parse` function within the `parse.ts` file of the npm package `@octokit/endpoint`. Version 10.1.3 contains a patch for the issue.

INFO

Published Date :

2025-02-14T19:31:44.827Z

Last Modified :

2025-02-14T19:44:09.952Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-25285 vulnerability.

No data.

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-25285.

URL Resource
https://github.com/octokit/endpoint.js/blob/main/src/parse.ts cve-icon cve-icon cve-icon
https://github.com/octokit/endpoint.js/commit/6c9c5be033c450d436efb37de41b6470c22f7db8 cve-icon cve-icon cve-icon
https://github.com/octokit/endpoint.js/security/advisories/GHSA-x4c5-c7rf-jjgv cve-icon cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2025-25285 cve-icon
https://www.cve.org/CVERecord?id=CVE-2025-25285 cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact