CVE-2025-25288 Overview
CVE-2025-25288 is a Regular Expression Denial of Service (ReDoS) vulnerability affecting the @octokit/plugin-paginate-rest npm package, which is the Octokit plugin used to paginate REST API endpoint responses. The vulnerability allows attackers to trigger catastrophic backtracking in the regex engine through a specially crafted link parameter in the HTTP headers section of a request when calling octokit.paginate.iterator().
Critical Impact
Applications using affected versions may become unresponsive due to CPU exhaustion when processing malicious pagination links, potentially leading to denial of service conditions in GitHub API integrations.
Affected Products
- @octokit/plugin-paginate-rest versions 1.0.0 through 11.4.0
- Applications and services using vulnerable versions of this npm package
- GitHub API integrations utilizing Octokit pagination functionality
Discovery Timeline
- 2025-02-14 - CVE-2025-25288 published to NVD
- 2025-02-14 - Last updated in NVD database
Technical Details for CVE-2025-25288
Vulnerability Analysis
This vulnerability is classified as CWE-1333 (Inefficient Regular Expression Complexity), commonly known as ReDoS (Regular Expression Denial of Service). The issue resides in the iterator.ts file where a regular expression is used to parse the link header from GitHub API responses to extract pagination URLs. The original regex pattern /<([^>]+)>;\s*rel="next"/ contains a character class [^>]+ that can cause exponential time complexity when processing specially crafted input strings.
When an attacker controls or can influence the link header content passed to the pagination iterator, they can supply a malicious string designed to exploit the regex backtracking behavior. This causes the JavaScript regex engine to perform an excessive number of operations, consuming CPU resources and potentially hanging the application.
Root Cause
The root cause is an inefficient regular expression pattern used to extract the "next" URL from the pagination link header. The original pattern /<([^>]+)>;\s*rel="next"/ uses a greedy quantifier with a broad character class that excludes only the > character. This allows the regex engine to backtrack extensively when the input contains certain patterns of characters, particularly nested or malformed angle brackets.
Attack Vector
The attack can be executed over the network without authentication by providing a malicious octokit instance with a crafted link parameter in the headers section of the request object. When octokit.paginate.iterator() processes this malicious header value, the regex evaluation enters a pathological state, consuming excessive CPU cycles and potentially causing the Node.js event loop to block.
// Security patch in src/iterator.ts - Merge commit from fork
// '<https://api.github.com/users/aseemk/followers?page=2>; rel="next", <https://api.github.com/users/aseemk/followers?page=2>; rel="last"'
// sets `url` to undefined if "next" URL is not present or `link` header is not set
url = ((normalizedResponse.headers.link || "").match(
- /<([^>]+)>;\s*rel="next"/,
+ /<([^<>]+)>;\s*rel="next"/,
) || [])[1];
return { value: normalizedResponse };
Source: GitHub Commit Details
Detection Methods for CVE-2025-25288
Indicators of Compromise
- Unusual CPU spikes in Node.js processes handling GitHub API pagination
- Application hangs or timeouts when processing pagination responses
- Slow or unresponsive GitHub API integration endpoints
- Event loop blocking indicators in Node.js monitoring tools
Detection Strategies
- Audit package.json and package-lock.json files for @octokit/plugin-paginate-rest versions between 1.0.0 and 11.4.0
- Run npm audit or yarn audit to identify vulnerable dependencies
- Use software composition analysis (SCA) tools to scan for the vulnerable package version
- Monitor application logs for abnormal request processing times related to GitHub API calls
Monitoring Recommendations
- Implement request timeout thresholds for GitHub API pagination operations
- Set up alerts for CPU utilization anomalies in services using Octokit
- Enable Node.js process monitoring to detect event loop lag
- Track response times for endpoints using octokit.paginate.iterator()
How to Mitigate CVE-2025-25288
Immediate Actions Required
- Upgrade @octokit/plugin-paginate-rest to version 11.4.1 or later immediately
- Run npm update @octokit/plugin-paginate-rest or yarn upgrade @octokit/plugin-paginate-rest
- Verify the update by checking the installed version in node_modules
- Rebuild and redeploy affected applications
Patch Information
The vulnerability has been fixed in version 11.4.1 of @octokit/plugin-paginate-rest. The fix modifies the regular expression pattern from /<([^>]+)>;\s*rel="next"/ to /<([^<>]+)>;\s*rel="next"/, adding the < character to the exclusion set. This prevents malicious input containing nested angle brackets from triggering catastrophic backtracking. The security patch is documented in the GitHub Security Advisory and the commit details.
Workarounds
- Implement input validation on link headers before passing to the pagination iterator
- Add request timeouts around pagination calls to limit DoS impact
- Consider using a web application firewall (WAF) to filter malicious header patterns
- Isolate GitHub API integration services to prevent broader application impact
# Configuration example
# Update the vulnerable package to the patched version
npm install @octokit/plugin-paginate-rest@11.4.1
# Verify the installed version
npm list @octokit/plugin-paginate-rest
# Run security audit to confirm no remaining vulnerabilities
npm audit
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
