Vulnerable Library - rest-20.1.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Found in HEAD commit: 4689f8d8651e4b7dfbd2d9cde3cace6ec391acfa
Vulnerabilities
| Vulnerability |
Severity |
 CVSS |
Dependency |
Type |
Fixed in (rest version) |
Remediation Possible** |
| CVE-2025-25290 |
 Medium |
5.3 |
request-8.4.0.tgz |
Transitive |
21.0.0 |
✅ |
| CVE-2025-25289 |
Medium |
5.3 |
request-error-5.1.0.tgz |
Transitive |
N/A* |
❌ |
| CVE-2025-25285 |
Medium |
5.3 |
endpoint-9.0.5.tgz |
Transitive |
N/A* |
❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2025-25290
Vulnerable Library - request-8.4.0.tgz
Library home page: https://registry.npmjs.org/@octokit/request/-/request-8.4.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- rest-20.1.2.tgz (Root Library)
- core-5.2.0.tgz
- ❌ request-8.4.0.tgz (Vulnerable Library)
Found in HEAD commit: 4689f8d8651e4b7dfbd2d9cde3cace6ec391acfa
Found in base branch: dev
Vulnerability Details
@octokit/request sends parameterized requests to GitHub’s APIs with sensible defaults in browsers and Node. Starting in version 1.0.0 and prior to versions 9.2.1 and 8.4.1, the regular expression "/<([^>]+)>; rel="deprecation"/" used to match the "link" header in HTTP responses is vulnerable to a ReDoS (Regular Expression Denial of Service) attack. This vulnerability arises due to the unbounded nature of the regex's matching behavior, which can lead to catastrophic backtracking when processing specially crafted input. An attacker could exploit this flaw by sending a malicious "link" header, resulting in excessive CPU usage and potentially causing the server to become unresponsive, impacting service availability. Versions 9.2.1 and 8.4.1 fix the issue.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2025-02-14
URL: CVE-2025-25290
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-rmvr-2pp2-xj38
Release Date: 2025-02-14
Fix Resolution (@octokit/request): 8.4.1
Direct dependency fix Resolution (@octokit/rest): 21.0.0
In order to enable automatic remediation, please create workflow rules
CVE-2025-25289
Vulnerable Library - request-error-5.1.0.tgz
Library home page: https://registry.npmjs.org/@octokit/request-error/-/request-error-5.1.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- rest-20.1.2.tgz (Root Library)
- core-5.2.0.tgz
- ❌ request-error-5.1.0.tgz (Vulnerable Library)
Found in HEAD commit: 4689f8d8651e4b7dfbd2d9cde3cace6ec391acfa
Found in base branch: dev
Vulnerability Details
@octokit/request-error is an error class for Octokit request errors. Starting in version 1.0.0 and prior to version 6.1.7, a Regular Expression Denial of Service (ReDoS) vulnerability exists in the processing of HTTP request headers. By sending an authorization header containing an excessively long sequence of spaces followed by a newline and "@", an attacker can exploit inefficient regular expression processing, leading to excessive resource consumption. This can significantly degrade server performance or cause a denial-of-service (DoS) condition, impacting availability. Version 6.1.7 contains a fix for the issue.
Publish Date: 2025-02-14
URL: CVE-2025-25289
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2025-02-14
Fix Resolution: @octokit/request-error - 5.1.1,6.1.7
CVE-2025-25285
Vulnerable Library - endpoint-9.0.5.tgz
Library home page: https://registry.npmjs.org/@octokit/endpoint/-/endpoint-9.0.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- rest-20.1.2.tgz (Root Library)
- core-5.2.0.tgz
- request-8.4.0.tgz
- ❌ endpoint-9.0.5.tgz (Vulnerable Library)
Found in HEAD commit: 4689f8d8651e4b7dfbd2d9cde3cace6ec391acfa
Found in base branch: dev
Vulnerability Details
@octokit/endpoint turns REST API endpoints into generic request options. Starting in version 4.1.0 and prior to version 10.1.3, by crafting specific "options" parameters, the "endpoint.parse(options)" call can be triggered, leading to a regular expression denial-of-service (ReDoS) attack. This causes the program to hang and results in high CPU utilization. The issue occurs in the "parse" function within the "parse.ts" file of the npm package "@octokit/endpoint". Version 10.1.3 contains a patch for the issue.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2025-02-14
URL: CVE-2025-25285
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-x4c5-c7rf-jjgv
Release Date: 2025-02-14
Fix Resolution: @octokit/endpoint - 9.0.6,10.1.3
In order to enable automatic remediation for this issue, please create workflow rules
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Found in HEAD commit: 4689f8d8651e4b7dfbd2d9cde3cace6ec391acfa
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - request-8.4.0.tgz
Library home page: https://registry.npmjs.org/@octokit/request/-/request-8.4.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 4689f8d8651e4b7dfbd2d9cde3cace6ec391acfa
Found in base branch: dev
Vulnerability Details
@octokit/request sends parameterized requests to GitHub’s APIs with sensible defaults in browsers and Node. Starting in version 1.0.0 and prior to versions 9.2.1 and 8.4.1, the regular expression "/<([^>]+)>; rel="deprecation"/" used to match the "link" header in HTTP responses is vulnerable to a ReDoS (Regular Expression Denial of Service) attack. This vulnerability arises due to the unbounded nature of the regex's matching behavior, which can lead to catastrophic backtracking when processing specially crafted input. An attacker could exploit this flaw by sending a malicious "link" header, resulting in excessive CPU usage and potentially causing the server to become unresponsive, impacting service availability. Versions 9.2.1 and 8.4.1 fix the issue.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2025-02-14
URL: CVE-2025-25290
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-rmvr-2pp2-xj38
Release Date: 2025-02-14
Fix Resolution (@octokit/request): 8.4.1
Direct dependency fix Resolution (@octokit/rest): 21.0.0
In order to enable automatic remediation, please create workflow rules
Vulnerable Library - request-error-5.1.0.tgz
Library home page: https://registry.npmjs.org/@octokit/request-error/-/request-error-5.1.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 4689f8d8651e4b7dfbd2d9cde3cace6ec391acfa
Found in base branch: dev
Vulnerability Details
@octokit/request-error is an error class for Octokit request errors. Starting in version 1.0.0 and prior to version 6.1.7, a Regular Expression Denial of Service (ReDoS) vulnerability exists in the processing of HTTP request headers. By sending an authorization header containing an excessively long sequence of spaces followed by a newline and "@", an attacker can exploit inefficient regular expression processing, leading to excessive resource consumption. This can significantly degrade server performance or cause a denial-of-service (DoS) condition, impacting availability. Version 6.1.7 contains a fix for the issue.
Publish Date: 2025-02-14
URL: CVE-2025-25289
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2025-02-14
Fix Resolution: @octokit/request-error - 5.1.1,6.1.7
Vulnerable Library - endpoint-9.0.5.tgz
Library home page: https://registry.npmjs.org/@octokit/endpoint/-/endpoint-9.0.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 4689f8d8651e4b7dfbd2d9cde3cace6ec391acfa
Found in base branch: dev
Vulnerability Details
@octokit/endpoint turns REST API endpoints into generic request options. Starting in version 4.1.0 and prior to version 10.1.3, by crafting specific "options" parameters, the "endpoint.parse(options)" call can be triggered, leading to a regular expression denial-of-service (ReDoS) attack. This causes the program to hang and results in high CPU utilization. The issue occurs in the "parse" function within the "parse.ts" file of the npm package "@octokit/endpoint". Version 10.1.3 contains a patch for the issue.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2025-02-14
URL: CVE-2025-25285
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-x4c5-c7rf-jjgv
Release Date: 2025-02-14
Fix Resolution: @octokit/endpoint - 9.0.6,10.1.3
In order to enable automatic remediation for this issue, please create workflow rules