Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(deps): update dependency @octokit/request to v8.4.1 [security] #5344

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix(deps): update dependency @octokit/request to v8.4.1 [security] #5344

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Feb 16, 2025
edited
Loading

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
@octokit/request 8.4.0 -> 8.4.1 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2025-25290

Summary

The regular expression /<([^>]+)>; rel="deprecation"/ used to match the link header in HTTP responses is vulnerable to a ReDoS (Regular Expression Denial of Service) attack. This vulnerability arises due to the unbounded nature of the regex's matching behavior, which can lead to catastrophic backtracking when processing specially crafted input. An attacker could exploit this flaw by sending a malicious link header, resulting in excessive CPU usage and potentially causing the server to become unresponsive, impacting service availability.

Details

The vulnerability resides in the regular expression /<([^>]+)>; rel="deprecation"/, which is used to match the link header in HTTP responses. This regular expression captures content between angle brackets (<>) followed by ; rel="deprecation". However, the pattern is vulnerable to ReDoS (Regular Expression Denial of Service) attacks due to its susceptibility to catastrophic backtracking when processing malicious input.
An attacker can exploit this vulnerability by sending a specially crafted link header designed to trigger excessive backtracking. For example, the following headers:

fakeHeaders.set("link", "<".repeat(100000) + ">");
fakeHeaders.set("deprecation", "true");

The crafted link header consists of 100,000 consecutive < characters followed by a closing >. This input forces the regular expression engine to backtrack extensively in an attempt to match the pattern. As a result, the server can experience a significant increase in CPU usage, which may lead to denial of service, making the server unresponsive or even causing it to crash under load.
The issue is present in the following code:

const matches = responseHeaders.link && responseHeaders.link.match(/<([^>]+)>; rel="deprecation"/);

In this scenario, the link header value triggers the regex to perform excessive backtracking, resulting in resource exhaustion and potentially causing the service to become unavailable.

PoC

The gist of PoC.js

  1. run npm i @​octokit/request
  2. run 'node poc.js'
    result:
  3. then the program will stuck forever with high CPU usage
import { request } from "@&#8203;octokit/request";
const originalFetch = globalThis.fetch;
globalThis.fetch = async (url, options) => {
  const response = await originalFetch(url, options);
  const fakeHeaders = new Headers(response.headers);
  fakeHeaders.set("link", "<".repeat(100000) + ">");
  fakeHeaders.set("deprecation", "true");
  return new Response(response.body, {
    status: response.status,
    statusText: response.statusText,
    headers: fakeHeaders
  });
};
request("GET /repos/octocat/hello-world")
  .then(response => {
    // console.log("[+] Response received:", response);
  })
  .catch(error => {
    // console.error("[-] Error:", error);
  });
// globalThis.fetch = originalFetch;

Impact

This is a Denial of Service (DoS) vulnerability caused by a ReDoS (Regular Expression Denial of Service) flaw. The vulnerability allows an attacker to craft a malicious link header that exploits the inefficient backtracking behavior of the regular expression used in the code.
The primary impact is the potential for server resource exhaustion, specifically high CPU usage, which can cause the server to become unresponsive or even crash when processing the malicious request. This affects the availability of the service, leading to downtime or degraded performance.
The vulnerability impacts any system that uses this specific regular expression to process link headers in HTTP responses. This can include:

  • Web applications or APIs that rely on parsing headers for deprecation information.
  • Users interacting with the affected service, as they may experience delays or outages if the server becomes overwhelmed.
  • Service providers who may face disruption in operations or performance degradation due to this flaw.
    If left unpatched, the vulnerability can be exploited by any unauthenticated user who is able to send a specially crafted HTTP request with a malicious link header, making it a low-barrier attack that could be exploited by anyone.

Release Notes

octokit/request.js (@​octokit/request)

v8.4.1

Compare Source

Bug Fixes

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot added the dependencies Pull requests that update a dependency file (automatic) label Feb 16, 2025
@renovate renovate bot requested a review from a team as a code owner February 16, 2025 01:42
@renovate renovate bot enabled auto-merge (squash) February 16, 2025 01:42
@renovate renovate bot changed the title fix(deps): update dependency @octokit/request to v9 [security] fix(deps): update dependency @octokit/request to v9 [security] - autoclosed Feb 18, 2025
@renovate renovate bot closed this Feb 18, 2025
auto-merge was automatically disabled February 18, 2025 19:38

Pull request was closed

@renovate renovate bot deleted the renovate/npm-octokit-request-vulnerability branch February 18, 2025 19:38
@renovate renovate bot changed the title fix(deps): update dependency @octokit/request to v9 [security] - autoclosed fix(deps): update dependency @octokit/request to v9 [security] Feb 18, 2025
@renovate renovate bot reopened this Feb 18, 2025
@renovate renovate bot force-pushed the renovate/npm-octokit-request-vulnerability branch from f632491 to e3f7948 Compare February 18, 2025 23:05
@renovate renovate bot changed the title fix(deps): update dependency @octokit/request to v9 [security] fix(deps): update dependency @octokit/request to v8.4.1 [security] Feb 18, 2025
@renovate renovate bot force-pushed the renovate/npm-octokit-request-vulnerability branch from e3f7948 to e3f2245 Compare February 19, 2025 02:53
@renovate renovate bot enabled auto-merge (squash) February 19, 2025 02:53
@renovate renovate bot force-pushed the renovate/npm-octokit-request-vulnerability branch 2 times, most recently from 7f90d28 to 3c6664a Compare February 24, 2025 07:03
@renovate renovate bot force-pushed the renovate/npm-octokit-request-vulnerability branch from 3c6664a to 16aecaa Compare March 7, 2025 04:36
@renovate renovate bot force-pushed the renovate/npm-octokit-request-vulnerability branch from 16aecaa to e444b1c Compare March 7, 2025 04:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file (automatic)
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants