@octokit/request sends parameterized requests to GitHub’s APIs with sensible defaults in browsers and Node. Starting in version 1.0.0 and prior to versions 9.2.1 and 8.4.1, the regular expression /<([^>]+)>; rel=deprecation/ used to match the link header in HTTP responses is vulnerable to a ReDoS (Regular Expression Denial of Service) attack. This vulnerability arises due to the unbounded nature of the regexs matching behavior, which can lead to catastrophic backtracking when processing specially crafted input. An attacker could exploit this flaw by sending a malicious link header, resulting in excessive CPU usage and potentially causing the server to become unresponsive, impacting service availability. Versions 9.2.1 and 8.4.1 fix the issue.
Weakness
The product uses a regular expression with a worst-case computational complexity that is inefficient and possibly exponential.
Potential Mitigations
Related Attack Patterns
References
- https://github.com/octokit/request.js/commit/34ff07ee86fc5c20865982d77391bc910ef19c68
- https://github.com/octokit/request.js/commit/356411e3217019aa9fc8a68f4236af82490873c2
- https://github.com/octokit/request.js/commit/6bb29ba92a52f7bf94469c3433707c682c17126c
- https://github.com/octokit/request.js/releases/tag/v8.4.1
- https://github.com/octokit/request.js/releases/tag/v9.2.1
- https://github.com/octokit/request.js/security/advisories/GHSA-rmvr-2pp2-xj38