{"id":"CVE-2025-25289","summary":"@octokit/request-error has a Regular Expression in index that Leads to ReDoS Vulnerability Due to Catastrophic Backtracking","details":"@octokit/request-error is an error class for Octokit request errors. Starting in version 1.0.0 and prior to version 6.1.7, a Regular Expression Denial of Service (ReDoS) vulnerability exists in the processing of HTTP request headers. By sending an authorization header containing an excessively long sequence of spaces followed by a newline and \"@\", an attacker can exploit inefficient regular expression processing, leading to excessive resource consumption. This can significantly degrade server performance or cause a denial-of-service (DoS) condition, impacting availability. Version 6.1.7 contains a fix for the issue.","aliases":["GHSA-xx4v-prfh-6cgc"],"modified":"2026-04-10T05:24:21.253780Z","published":"2025-02-14T19:35:19.998Z","related":["CGA-x3j5-xv69-hj86"],"database_specific":{"cwe_ids":["CWE-1333"],"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/25xxx/CVE-2025-25289.json"},"references":[{"type":"WEB","url":"https://github.com/octokit/request-error.js/blob/main/src/index.ts"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/25xxx/CVE-2025-25289.json"},{"type":"ADVISORY","url":"https://github.com/octokit/request-error.js/security/advisories/GHSA-xx4v-prfh-6cgc"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-25289"},{"type":"FIX","url":"https://github.com/octokit/request-error.js/commit/d558320874a4bc8d356babf1079e6f0056a59b9e"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/octokit/request-error.js","events":[{"introduced":"38bbb1a82f9bd56247cff20625a5a4e2582a8bf7"},{"fixed":"c346f5cf3ee93d4937fbf0cbf4b39763a0a6c110"}]}],"versions":["v1.0.0","v1.0.1","v1.0.2","v1.0.3","v1.0.4","v1.1.0","v1.2.0","v1.2.1","v2.0.0","v2.0.1","v2.0.2","v2.0.3","v2.0.4","v2.0.5","v2.0.6","v2.1.0","v3.0.0","v3.0.1","v3.0.2","v3.0.3","v4.0.0","v4.0.1","v4.0.2","v5.0.0","v5.0.1","v6.0.0","v6.0.1","v6.0.2","v6.0.3","v6.1.0","v6.1.1","v6.1.2","v6.1.3","v6.1.4","v6.1.5","v6.1.6"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-25289.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"}]}