@octokit/request sends parameterized requests to GitHub’s APIs with sensible defaults in browsers and Node. Starting in version 1.0.0 and prior to versions 9.2.1 and 8.4.1, the regular expression /<([^>]+)>; rel=deprecation/ used to match the link header in HTTP responses is vulnerable to a ReDoS (Regular Expression Denial of Service) attack. This vulnerability arises due to the unbounded nature of the regexs matching behavior, which can lead to catastrophic backtracking when processing specially crafted input. An attacker could exploit this flaw by sending a malicious link header, resulting in excessive CPU usage and potentially causing the server to become unresponsive, impacting service availability. Versions 9.2.1 and 8.4.1 fix the issue.
Weakness
The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.
Extended Description
Attackers can create crafted inputs that
intentionally cause the regular expression to use
excessive backtracking in a way that causes the CPU
consumption to spike.
Potential Mitigations
Related Attack Patterns
References
- https://github.com/octokit/request.js/commit/34ff07ee86fc5c20865982d77391bc910ef19c68
- https://github.com/octokit/request.js/commit/356411e3217019aa9fc8a68f4236af82490873c2
- https://github.com/octokit/request.js/commit/6bb29ba92a52f7bf94469c3433707c682c17126c
- https://github.com/octokit/request.js/releases/tag/v8.4.1
- https://github.com/octokit/request.js/releases/tag/v9.2.1
- https://github.com/octokit/request.js/security/advisories/GHSA-rmvr-2pp2-xj38