Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2025-25288

Good to know:

icon
icon

Date: February 14, 2025

@octokit/plugin-paginate-rest is the Octokit plugin to paginate REST API endpoint responses. For versions starting in 1.0.0 and prior to 11.4.1 of the npm package "@octokit/plugin-paginate-rest", when calling "octokit.paginate.iterator()", a specially crafted "octokit" instance—particularly with a malicious "link" parameter in the "headers" section of the "request"—can trigger a ReDoS attack. Version 11.4.1 contains a fix for the issue.

Severity Score

Related Resources (7)

https://nvd.nist.gov/vuln/detail/CVE-2025-25288
https://github.com/octokit/plugin-paginate-rest.js/commit/bb6c4f945d8023902cf387391d2b2209261044ab
https://github.com/octokit/plugin-paginate-rest.js/releases/tag/v9.2.2
https://github.com/octokit/plugin-paginate-rest.js/blob/main/src/iterator.ts
https://github.com/octokit/plugin-paginate-rest.js
https://github.com/octokit/plugin-paginate-rest.js/security/advisories/GHSA-h5c3-5r3r-rr8q
https://www.mend.io/vulnerability-database/CVE-2025-25288

Severity Score

Weakness Type (CWE)

Inefficient Regular Expression Complexity

CWE-1333

Top Fix

icon

Upgrade Version

Upgrade to version @octokit/plugin-paginate-rest - 9.2.2;@octokit/plugin-paginate-rest - 11.4.1

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): NONE
Integrity (I): NONE
Availability (A): LOW

Do you need more information?

Contact Us