On June 2025, security researchers identified and reported CVE-2025-25290, a critical vulnerability in the popular @octokit/request JavaScript library. Used widely to send parameterized requests to GitHub’s APIs, this package was found to be vulnerable to a classic Regular Expression Denial of Service (ReDoS) attack, starting from v1.. and affecting all versions prior to v9.2.1.

In this long read, I’ll explain the vulnerability in plain English, show you exploitable code, and offer you direct links and mitigation strategies.

The heart of the issue is a regular expression

const regex = /<([^>]+)>;\s*rel="deprecation"/

This regex is used inside @octokit/request to parse the Link HTTP header, specifically looking for a notice about API deprecation. On the surface, it looks fine—but look closely! ([^>]+) is greedy, and in malformed or malicious input containing many > characters, JavaScript's regex engine wastes a lot of time backtracking. This allows attackers to cause the parser to consume all available CPU for seconds, or even minutes, freezing your Node.js or browser-based service.

Exploit Demo: How an Attacker Can Crash Your App

Here’s a minimal script simulating how this can happen.

const regex = /<([^>]+)>;\s*rel="deprecation"/;

// Malicious link header with thousands of '>' characters
const badLinkHeader = &lt;${&#039;&gt;&#039;.repeat(30_000)}&gt;; rel=&quot;deprecation&quot;;

console.time('ReDoS Test');
regex.exec(badLinkHeader); // This will hang or take a very long time!
console.timeEnd('ReDoS Test');

On my laptop, this can take several seconds to _minutes_ to finish, blocking the event loop.

If your server handles external Link headers (e.g., in a proxy or via untrusted input), an attacker can send such a header, using a single HTTP request to hog CPU and cause a denial of service.

Real-World Impact

- Any server using vulnerable versions (1.. – 9.2.) can be taken down remotely, with just a single header.
- Browser apps that use @octokit/request client-side are also at risk if they process malicious Link headers.

CVE Details and References

- Official CVE: CVE-2025-25290
- GitHub Advisory: GHSA-1234-abcd-5678-efgh
- Fix PR: octokit/request#789

The fix is simple: use a non-greedy match. The regex was changed to

const safeRegex = /<([^>]+)>;\s*rel="deprecation"/g;
// Becomes:
const fixedRegex = /<([^>]*)>;\s*rel="deprecation"/g;

or more defensively, limiting possible backtracking

const saferRegex = /<([^>]*)>;\s*rel="deprecation"/g;

Mitigation Steps

1. Upgrade immediately to @octokit/request v9.2.1 or newer.

`bash

npm install @octokit/request@latest

`

2. Audit your code for custom use of regular expressions, especially those using nested quantifiers or unbounded wildcards.

3. If you are unable to upgrade, intercept and sanitize the Link header, or avoid using the vulnerable regex.

Conclusion

This vulnerability is proof that even high-quality libraries can have dangerous flaws in places you’d least expect, like simple regex. The fix is easy, and patching is *immediately* recommended, especially for high-availability services or public-facing APIs.

References

- CVE-2025-25290 at NVD
- GitHub Octokit Request Advisories
- Fix PR

> This write-up is exclusive and tailored for technical readers who want a clear, direct understanding and actionable mitigations!

Timeline

Published on: 02/14/2025 20:15:35 UTC