CVE-2025-25288 is a medium-severity vulnerability affecting the @octokit/plugin-paginate-rest, specifically in versions starting from 1.0.0 up to (but not including) 11.4.1. This vulnerability allows an attacker to perform a Regular Expression Denial of Service (ReDoS) attack by sending specially crafted requests through a manipulated instance of the Octokit library. The vulnerability is of particular concern as it can be triggered via a malicious 'link' parameter in the headers section of the request.
The vulnerability was published on February 14, 2025, and it has a CVSS score of 5.3, which classifies it as medium severity. This level of severity indicates that while the vulnerability is not critical, it poses a potential risk to systems utilizing the affected versions of the library. Organizations using this package should evaluate their exposure and take necessary actions to mitigate potential risks.
Version 11.4.1 of the @octokit/plugin-paginate-rest includes a fix for this vulnerability, making it crucial for users to upgrade to this version or later. Organizations should prioritize patching to prevent exploitation and ensure the security of their applications.
Risk to organizations includes potential service disruption due to the ReDoS attack, which can lead to degraded performance or unavailability of services relying on the affected library. As the attack complexity is low and does not require user interaction, it is imperative that organizations address this vulnerability promptly.
Given the nature of this vulnerability, organizations should evaluate their usage of the affected versions and consider implementing additional monitoring or security measures to detect any attempts to exploit this vulnerability until they can fully remediate.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
.webp)