Description

@octokit/request sends parameterized requests to GitHub’s APIs with sensible defaults in browsers and Node. Starting in version 1.0.0 and prior to versions 9.2.1 and 8.4.1, the regular expression `/<([^>]+)>; rel="deprecation"/` used to match the `link` header in HTTP responses is vulnerable to a ReDoS (Regular Expression Denial of Service) attack. This vulnerability arises due to the unbounded nature of the regex's matching behavior, which can lead to catastrophic backtracking when processing specially crafted input. An attacker could exploit this flaw by sending a malicious `link` header, resulting in excessive CPU usage and potentially causing the server to become unresponsive, impacting service availability. Versions 9.2.1 and 8.4.1 fix the issue.

INFO

Published Date :

2025-02-14T19:37:47.110Z

Last Modified :

2026-01-16T17:29:06.418Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-25290 vulnerability.

No data.

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-25290.

URL Resource
https://github.com/octokit/request.js/commit/34ff07ee86fc5c20865982d77391bc910ef19c68 cve-icon cve-icon cve-icon
https://github.com/octokit/request.js/commit/356411e3217019aa9fc8a68f4236af82490873c2 cve-icon cve-icon
https://github.com/octokit/request.js/commit/6bb29ba92a52f7bf94469c3433707c682c17126c cve-icon cve-icon
https://github.com/octokit/request.js/releases/tag/v8.4.1 cve-icon cve-icon
https://github.com/octokit/request.js/releases/tag/v9.2.1 cve-icon cve-icon
https://github.com/octokit/request.js/security/advisories/GHSA-rmvr-2pp2-xj38 cve-icon cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2025-25290 cve-icon
https://www.cve.org/CVERecord?id=CVE-2025-25290 cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact