CVE-2025-25289
📋 TL;DR
A Regular Expression Denial of Service (ReDoS) vulnerability exists in @octokit/request-error versions 1.0.0 through 6.1.6. Attackers can send specially crafted HTTP authorization headers containing excessive spaces followed by newlines and '@' characters, causing inefficient regex processing that consumes excessive server resources. This affects any application using vulnerable versions of this Octokit error handling library.
💻 Affected Systems
- @octokit/request-error
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete denial-of-service causing application unavailability, resource exhaustion leading to system instability or crashes.
Likely Case
Significant performance degradation, increased response times, and partial service disruption under attack.
If Mitigated
Minimal impact with proper rate limiting, input validation, and updated versions.
🎯 Exploit Status
Exploitation requires sending HTTP requests with malicious authorization headers. No authentication needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.1.7
Vendor Advisory: https://github.com/octokit/request-error.js/security/advisories/GHSA-xx4v-prfh-6cgc
Restart Required: Yes
Instructions:
1. Update package.json to specify @octokit/request-error version 6.1.7 or higher. 2. Run 'npm update @octokit/request-error' or 'yarn upgrade @octokit/request-error'. 3. Restart your application.
🔧 Temporary Workarounds
Rate Limiting
allImplement rate limiting on HTTP endpoints to prevent excessive malicious requests.
Input Validation
allAdd middleware to validate and sanitize authorization headers before processing.
🧯 If You Can't Patch
- Implement Web Application Firewall (WAF) rules to block requests with excessive spaces in headers.
- Monitor for abnormal CPU usage patterns and implement alerting for resource exhaustion.
🔍 How to Verify
Check if Vulnerable:
Check package.json or run 'npm list @octokit/request-error' to see installed version.Check Version:
npm list @octokit/request-errorVerify Fix Applied:
Confirm version is 6.1.7 or higher using 'npm list @octokit/request-error'.📡 Detection & Monitoring
Log Indicators:
- High CPU usage spikes
- Increased error rates from @octokit/request-error
- Requests with unusually long authorization headers
Network Indicators:
- HTTP requests with authorization headers containing excessive spaces and newlines
SIEM Query:
source="web_server" AND (header="authorization" AND header_value MATCHES "\\s{100,}\\n@")