CVE-2025-25289: 
JavaScript vulnerability analysis and mitigation

A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in @octokit/request-error, affecting versions from 1.0.0 to 6.1.7. The vulnerability exists in the processing of HTTP request headers, identified as CVE-2025-25289. The issue was disclosed on February 14, 2025, and affects the error class for Octokit request errors (GitHub Advisory).

The vulnerability occurs in the authorization header processing within the request processing logic, specifically at line 52 of iterator.ts. The issue stems from an inefficient regular expression pattern / .*$/ used to sanitize the authorization header. When processing specially crafted input, this pattern can lead to catastrophic backtracking in the regex engine. The vulnerability has a CVSS v3.1 base score of 5.3 (Moderate) with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L (GitHub Advisory).

An attacker can exploit this vulnerability by sending an authorization header containing an excessively long sequence of spaces followed by a newline and '@' character. This exploitation can result in excessive CPU usage, significantly degrading server performance or causing a denial-of-service (DoS) condition. The vulnerability particularly affects multi-tenant or API-driven platforms that process a large volume of authentication requests (GitHub Advisory).

The vulnerability has been patched in versions 5.1.1 and 6.1.7 or later. Users are advised to upgrade to these patched versions to address the security issue (GitHub Advisory).