CVE-2025-25285

Name of the Vulnerable Software and Affected Versions: @octokit/endpoint versions 4.1.0 through 10.1.3

Description: The issue is a regular expression denial-of-service (ReDoS) attack that can be triggered by crafting specific options parameters, causing the program to hang and resulting in high CPU utilization. This occurs in the parse function within the parse.ts file of the npm package @octokit/endpoint. The regular expression /[w-]+(?=-preview)/g encounters a backtracking issue when processing a large number of characters followed by the - symbol.

Recommendations: For versions 4.1.0 through 10.1.3, update the regular expression to (?<![w-])[w-]+(?=-preview) to prevent excessive backtracking. Replace the existing regular expression in the parse.ts file with the updated one and thoroughly test the application to ensure the functionality remains correct and the performance improves. Once the solution is verified, deploy the fix to the production environment to protect against potential attacks.