CVE-2025-25288

Name of the Vulnerable Software and Affected Versions: @octokit/plugin-paginate-rest versions 1.0.0 through 11.4.1

Description: The issue is a Regular Expression Denial of Service (ReDoS) vulnerability that can be triggered when calling octokit.paginate.iterator() with a specially crafted octokit instance, particularly with a malicious link parameter in the headers section of the request. This can cause high CPU utilization and even service slowdowns or freezes when processing specially crafted Link headers. The vulnerability occurs due to excessive backtracking in the regex pattern /<([^>]+)>;s*rel="next"/.

Recommendations: For versions prior to 11.4.1, update to version 11.4.1 to resolve the issue. As a temporary workaround, consider restricting the use of the octokit.paginate.iterator() function until a patch is available. Avoid using the link parameter in the headers section of the request until the issue is resolved.