rest-20.1.1.tgz: 4 vulnerabilities (highest severity is: 5.3)

[mend-for-github-com]

Vulnerable Library - rest-20.1.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (rest version)	Remediation Possible**
CVE-2025-25290	Medium	5.3	request-8.4.0.tgz	Transitive	N/A*	❌
CVE-2025-25289	Medium	5.3	request-error-5.1.0.tgz	Transitive	N/A*	❌
CVE-2025-25288	Medium	5.3	plugin-paginate-rest-11.3.1.tgz	Transitive	N/A*	❌
CVE-2025-25285	Medium	5.3	endpoint-9.0.5.tgz	Transitive	N/A*	❌

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2025-25290

Vulnerable Library - request-8.4.0.tgz

Library home page: https://registry.npmjs.org/@octokit/request/-/request-8.4.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• rest-20.1.1.tgz (Root Library)
  • core-5.2.0.tgz
    • ❌ request-8.4.0.tgz (Vulnerable Library)

Found in base branch: dev

Vulnerability Details

@octokit/request sends parameterized requests to GitHub’s APIs with sensible defaults in browsers and Node. Starting in version 1.0.0 and prior to version 9.2.1, the regular expression "/<([^>]+)>; rel="deprecation"/" used to match the "link" header in HTTP responses is vulnerable to a ReDoS (Regular Expression Denial of Service) attack. This vulnerability arises due to the unbounded nature of the regex's matching behavior, which can lead to catastrophic backtracking when processing specially crafted input. An attacker could exploit this flaw by sending a malicious "link" header, resulting in excessive CPU usage and potentially causing the server to become unresponsive, impacting service availability. Version 9.2.1 fixes the issue.

Publish Date: 2025-02-14

URL: CVE-2025-25290

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-rmvr-2pp2-xj38

Release Date: 2025-02-14

Fix Resolution: @octokit/request - 9.2.1

CVE-2025-25289

Vulnerable Library - request-error-5.1.0.tgz

Library home page: https://registry.npmjs.org/@octokit/request-error/-/request-error-5.1.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• rest-20.1.1.tgz (Root Library)
  • core-5.2.0.tgz
    • ❌ request-error-5.1.0.tgz (Vulnerable Library)

Found in base branch: dev

Vulnerability Details

@octokit/request-error is an error class for Octokit request errors. Starting in version 1.0.0 and prior to version 6.1.7, a Regular Expression Denial of Service (ReDoS) vulnerability exists in the processing of HTTP request headers. By sending an authorization header containing an excessively long sequence of spaces followed by a newline and "@", an attacker can exploit inefficient regular expression processing, leading to excessive resource consumption. This can significantly degrade server performance or cause a denial-of-service (DoS) condition, impacting availability. Version 6.1.7 contains a fix for the issue.

Publish Date: 2025-02-14

URL: CVE-2025-25289

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2025-02-14

Fix Resolution: @octokit/request-error - 5.1.1,6.1.7

CVE-2025-25288

Vulnerable Library - plugin-paginate-rest-11.3.1.tgz

Library home page: https://registry.npmjs.org/@octokit/plugin-paginate-rest/-/plugin-paginate-rest-11.3.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• rest-20.1.1.tgz (Root Library)
  • ❌ plugin-paginate-rest-11.3.1.tgz (Vulnerable Library)

Found in base branch: dev

Vulnerability Details

@octokit/plugin-paginate-rest is the Octokit plugin to paginate REST API endpoint responses. For versions starting in 1.0.0 and prior to 11.4.1 of the npm package "@octokit/plugin-paginate-rest", when calling "octokit.paginate.iterator()", a specially crafted "octokit" instance—particularly with a malicious "link" parameter in the "headers" section of the "request"—can trigger a ReDoS attack. Version 11.4.1 contains a fix for the issue.

Publish Date: 2025-02-14

URL: CVE-2025-25288

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-h5c3-5r3r-rr8q

Release Date: 2025-02-14

Fix Resolution: @octokit/plugin-paginate-rest - 11.4.1

CVE-2025-25285

Vulnerable Library - endpoint-9.0.5.tgz

Library home page: https://registry.npmjs.org/@octokit/endpoint/-/endpoint-9.0.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• rest-20.1.1.tgz (Root Library)
  • core-5.2.0.tgz
    • request-8.4.0.tgz
      • ❌ endpoint-9.0.5.tgz (Vulnerable Library)

Found in base branch: dev

Vulnerability Details

@octokit/endpoint turns REST API endpoints into generic request options. Starting in version 4.1.0 and prior to version 10.1.3, by crafting specific "options" parameters, the "endpoint.parse(options)" call can be triggered, leading to a regular expression denial-of-service (ReDoS) attack. This causes the program to hang and results in high CPU utilization. The issue occurs in the "parse" function within the "parse.ts" file of the npm package "@octokit/endpoint". Version 10.1.3 contains a patch for the issue.

Publish Date: 2025-02-14

URL: CVE-2025-25285

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-x4c5-c7rf-jjgv

Release Date: 2025-02-14

Fix Resolution: @octokit/endpoint - 9.0.6,10.1.3