CVE-2025-25285
📋 TL;DR
This vulnerability in @octokit/endpoint allows attackers to cause a regular expression denial-of-service (ReDoS) attack by crafting specific options parameters. When exploited, it causes the program to hang with high CPU utilization, potentially disrupting services. Anyone using @octokit/endpoint versions 4.1.0 through 10.1.2 is affected.
💻 Affected Systems
- @octokit/endpoint npm package
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete service disruption through CPU exhaustion, leading to denial of service for all users of the affected application.
Likely Case
Temporary service degradation or unresponsiveness until the process is restarted or the attack stops.
If Mitigated
Minimal impact with proper rate limiting, input validation, and monitoring in place.
🎯 Exploit Status
Exploitation requires crafting specific options parameters to trigger the vulnerable parse function.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 10.1.3
Vendor Advisory: https://github.com/octokit/endpoint.js/security/advisories/GHSA-x4c5-c7rf-jjgv
Restart Required: Yes
Instructions:
1. Update package.json to specify @octokit/endpoint version 10.1.3 or higher. 2. Run 'npm update @octokit/endpoint' or 'yarn upgrade @octokit/endpoint'. 3. Restart your application.
🔧 Temporary Workarounds
Input Validation
allValidate and sanitize all user input before passing to endpoint.parse() function
Rate Limiting
allImplement rate limiting on endpoints that use the vulnerable function
🧯 If You Can't Patch
- Implement strict input validation and sanitization for all parameters passed to endpoint.parse()
- Deploy monitoring for abnormal CPU spikes and implement automatic process restart mechanisms
🔍 How to Verify
Check if Vulnerable:
Check package.json or run 'npm list @octokit/endpoint' to see installed versionCheck Version:
npm list @octokit/endpoint | grep @octokit/endpointVerify Fix Applied:
Verify version is 10.1.3 or higher using 'npm list @octokit/endpoint'📡 Detection & Monitoring
Log Indicators:
- Unusually high CPU usage patterns
- Process hanging or timeout errors
- Multiple failed API calls with similar parameters
Network Indicators:
- Repeated requests with similar payloads to endpoints using @octokit/endpoint
SIEM Query:
source="application_logs" AND ("high cpu" OR "process hang" OR "timeout") AND "@octokit/endpoint"