CVE-2025-25288: @octokit/plugin-paginate-rest has a Regular Expression in iterator Leads to ReDoS Vulnerability Due to Catastrophic Backtracking
(updated )
For the npm package @octokit/plugin-paginate-rest, when calling octokit.paginate.iterator(), a specially crafted octokit instance—particularly with a malicious link parameter in the headers section of the request—can trigger a ReDoS attack.
References
- github.com/advisories/GHSA-h5c3-5r3r-rr8q
- github.com/octokit/plugin-paginate-rest.js
- github.com/octokit/plugin-paginate-rest.js/blob/main/src/iterator.ts
- github.com/octokit/plugin-paginate-rest.js/commit/bb6c4f945d8023902cf387391d2b2209261044ab
- github.com/octokit/plugin-paginate-rest.js/releases/tag/v9.2.2
- github.com/octokit/plugin-paginate-rest.js/security/advisories/GHSA-h5c3-5r3r-rr8q
- nvd.nist.gov/vuln/detail/CVE-2025-25288
Code Behaviors & Features
Detect and mitigate CVE-2025-25288 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →