GHSA-h5c3-5r3r-rr8q

Опубликовано: 14 фев. 2025

Источник: github

Github: Прошло ревью

CVSS3: 5.3

Описание

@octokit/plugin-paginate-rest has a Regular Expression in iterator Leads to ReDoS Vulnerability Due to Catastrophic Backtracking

Summary

For the npm package @octokit/plugin-paginate-rest, when calling octokit.paginate.iterator(), a specially crafted octokit instance—particularly with a malicious link parameter in the headers section of the request—can trigger a ReDoS attack.

Details

The issue occurs at line 39 of iterator.ts in the @octokit/plugin-paginate-rest repository. The relevant code is as follows:

url = ((normalizedResponse.headers.link || "").match( /<([^>]+)>;\s*rel="next"/, ) || [])[1];

The regular expression /<([^>]+)>;\s*rel="next"/ may lead to a potential backtracking vulnerability, resulting in a ReDoS (Regular Expression Denial of Service) attack. This could cause high CPU utilization and even service slowdowns or freezes when processing specially crafted Link headers.

PoC

The gist of PoC.js

run npm i @octokit/plugin-paginate-rest
run 'node poc.js' result:
then the program will stuck forever with high CPU usage

import { Octokit } from "@octokit/core"; import { paginateRest } from "@octokit/plugin-paginate-rest"; const MyOctokit = Octokit.plugin(paginateRest); const octokit = new MyOctokit({ auth: "your-github-token", }); // Intercept the request to inject a malicious 'link' header for ReDoS octokit.hook.wrap("request", async (request, options) => { const maliciousLinkHeader = "" + "<".repeat(100000) + ">"; // attack string return { data: [], headers: { link: maliciousLinkHeader, // Inject malicious 'link' header }, }; }); // Trigger the ReDoS attack by paginating through GitHub issues (async () => { try { for await (const normalizedResponse of octokit.paginate.iterator( "GET /repos/{owner}/{repo}/issues", { owner: "DayShift", repo: "ReDos", per_page: 100 } )) { console.log({ normalizedResponse }); } } catch (error) { console.error("Error encountered:", error); } })();

Impact

What kind of vulnerability is it?

This is a Regular Expression Denial of Service (ReDoS) vulnerability, which occurs due to excessive backtracking in the regex pattern:

/<([^>]+)>;\s*rel="next"/

When processing a specially crafted Link header, this regex can cause significant performance degradation, leading to high CPU utilization and potential service unresponsiveness.

Who is impacted?

Users of @octokit/plugin-paginate-rest who call octokit.paginate.iterator() and process untrusted or manipulated Link headers.
Applications relying on Octokit's pagination mechanism, particularly those handling large volumes of API requests.
GitHub API consumers who integrate this package into their projects for paginated data retrieval.

Ссылки

Пакеты

Наименование

@octokit/plugin-paginate-rest

npm

Затронутые версииВерсия исправления

>= 9.3.0-beta.1, < 11.4.1

11.4.1

Наименование

@octokit/plugin-paginate-rest

npm

Затронутые версииВерсия исправления

>= 1.0.0, < 9.2.2

9.2.2

EPSS

Процентиль: 31%

0.00118

Низкий

5.3 Medium

CVSS3

CVE ID

CVE-2025-25288

Дефекты

CWE-1333

Связанные уязвимости

CVE-2025-25288

CVSS3: 5.3

redhat

7 месяцев назад

@octokit/plugin-paginate-rest is the Octokit plugin to paginate REST API endpoint responses. For versions starting in 1.0.0 and prior to 11.4.1 of the npm package `@octokit/plugin-paginate-rest`, when calling `octokit.paginate.iterator()`, a specially crafted `octokit` instance—particularly with a malicious `link` parameter in the `headers` section of the `request`—can trigger a ReDoS attack. Version 11.4.1 contains a fix for the issue.

CVE-2025-25288

CVSS3: 5.3

nvd

7 месяцев назад

EPSS

Процентиль: 31%

0.00118

Низкий

5.3 Medium

CVSS3

CVE ID

CVE-2025-25288

Дефекты

CWE-1333