{"id":"CVE-2025-25288","summary":"@octokit/plugin-paginate-rest has a Regular Expression in iterator that Leads to ReDoS Vulnerability Due to Catastrophic Backtracking","details":"@octokit/plugin-paginate-rest is the Octokit plugin to paginate REST API endpoint responses. For versions starting in 1.0.0 and prior to 11.4.1 of the npm package `@octokit/plugin-paginate-rest`, when calling `octokit.paginate.iterator()`, a specially crafted `octokit` instance—particularly with a malicious `link` parameter in the `headers` section of the `request`—can trigger a ReDoS attack. Version 11.4.1 contains a fix for the issue.","aliases":["GHSA-h5c3-5r3r-rr8q"],"modified":"2026-04-10T05:24:21.581658Z","published":"2025-02-14T19:33:43.428Z","related":["CGA-68xq-8c63-2m35"],"database_specific":{"cna_assigner":"GitHub_M","cwe_ids":["CWE-1333"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/25xxx/CVE-2025-25288.json"},"references":[{"type":"WEB","url":"https://github.com/octokit/plugin-paginate-rest.js/blob/main/src/iterator.ts"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/25xxx/CVE-2025-25288.json"},{"type":"ADVISORY","url":"https://github.com/octokit/plugin-paginate-rest.js/security/advisories/GHSA-h5c3-5r3r-rr8q"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-25288"},{"type":"FIX","url":"https://github.com/octokit/plugin-paginate-rest.js/commit/bb6c4f945d8023902cf387391d2b2209261044ab"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/octokit/plugin-paginate-rest.js","events":[{"introduced":"19b54b3930ea81b91f69d522889e82f1179d8913"},{"fixed":"7d1fade7d42500129af04af327c0915a12253f71"}]}],"versions":["v1.0.0","v1.0.1","v1.0.2","v1.1.0","v1.1.1","v10.0.0","v10.1.0","v11.0.0","v11.0.1","v11.1.0","v11.1.1","v11.2.0","v11.3.0","v11.3.2","v11.3.3","v11.3.4","v11.3.5","v11.3.6","v11.4.0","v2.0.0","v2.0.1","v2.0.2","v2.1.0","v2.10.0","v2.11.0","v2.12.0","v2.13.0","v2.13.1","v2.13.2","v2.13.3","v2.13.4","v2.13.5","v2.13.6","v2.14.0","v2.15.0","v2.15.1","v2.16.0","v2.16.1","v2.16.2","v2.16.3","v2.16.4","v2.16.5","v2.16.6","v2.16.7","v2.16.8","v2.16.9","v2.17.0","v2.18.0","v2.19.0","v2.2.0","v2.2.1","v2.2.2","v2.2.3","v2.2.4","v2.20.0","v2.21.0","v2.21.1","v2.21.2","v2.3.0","v2.3.1","v2.3.2","v2.3.3","v2.4.0","v2.5.0","v2.5.1","v2.6.0","v2.6.1","v2.6.2","v2.7.0","v2.7.1","v2.8.0","v2.8.1","v2.8.2","v2.8.3","v2.8.4","v2.9.0","v2.9.1","v3.0.0","v3.1.0","v4.0.0","v4.1.0","v4.2.0","v4.2.1","v4.2.2","v4.2.3","v4.3.0","v4.3.1","v5.0.0","v5.0.1","v6.0.0","v6.1.0","v6.1.1","v6.1.2","v7.0.0","v7.1.0","v7.1.1","v7.1.2","v8.0.0","v9.0.0","v9.1.0","v9.1.1","v9.1.2","v9.1.3","v9.1.4","v9.1.5","v9.2.0","v9.2.1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-25288.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"}]}