/
DirectorySecurity Advisories
Sign In
Security Advisories

CVE-2025-25290

Published

Last updated

NVD

https://nvd.nist.gov/vuln/detail/CVE-2025-25290

CGA ID

CGA-2wx9-rvv6-j8wx

Severity

5.3

Medium

CVSS V3

Description

@octokit/request sends parameterized requests to GitHub’s APIs with sensible defaults in browsers and Node. Starting in version 1.0.0 and prior to version 9.2.1, the regular expression /<([^>]+)>; rel="deprecation"/ used to match the link header in HTTP responses is vulnerable to a ReDoS (Regular Expression Denial of Service) attack. This vulnerability arises due to the unbounded nature of the regex's matching behavior, which can lead to catastrophic backtracking when processing specially crafted input. An attacker could exploit this flaw by sending a malicious link header, resulting in excessive CPU usage and potentially causing the server to become unresponsive, impacting service availability. Version 9.2.1 fixes the issue.

References

  • https://images.chainguard.dev/security/CGA-2wx9-rvv6-j8wx
  • https://github.com/advisories/GHSA-rmvr-2pp2-xj38
  • https://github.com/octokit/request.js/security/advisories/GHSA-rmvr-2pp2-xj38
  • https://github.com/octokit/request.js/commit/34ff07ee86fc5c20865982d77391bc910ef19c68

Affected packages

Safe Source for Open Sourceâ„¢
Media KitContact Us
© 2025 Chainguard. All Rights Reserved.
Private PolicyTerms of Use

Products

Chainguard ContainersChainguard LibrariesChainguard VMs

Why Chainguard

Container Image SecurityVulnerability RemediationCompliance and Risk MitigationSoftware Supply Chain SecurityAI/ML Security

Customers

Customer StoriesChainguard Love

Company

About UsPricingContact UsOpen SourceCareersNewsroomLegal

Resources

Unchained BlogEventsTrust CenterDocumentation