CVE-2025-25290

Name of the Vulnerable Software and Affected Versions: @octokit/request versions 1.0.0 through 9.2.1

Description: The regular expression /<([^>]+)>; rel="deprecation"/ used to match the link header in HTTP responses is vulnerable to a ReDoS (Regular Expression Denial of Service) attack. This vulnerability arises due to the unbounded nature of the regex's matching behavior, which can lead to catastrophic backtracking when processing specially crafted input. An attacker could exploit this flaw by sending a malicious link header, resulting in excessive CPU usage and potentially causing the server to become unresponsive, impacting service availability.

Recommendations: For versions 1.0.0 through 9.2.1, update to version 9.2.1 to fix the issue. As a temporary workaround, consider disabling the use of the link header in HTTP responses until a patch is available. Restrict access to the vulnerable regular expression to minimize the risk of exploitation. Avoid using the link header with specially crafted input in the affected API endpoint until the issue is resolved.