CVE-2025-25290: 
JavaScript vulnerability analysis and mitigation

The CVE-2025-25290 affects @octokit/request, a package that sends parameterized requests to GitHub's APIs. The vulnerability was discovered in versions 1.0.0 through 9.2.1, where a Regular Expression Denial of Service (ReDoS) vulnerability exists in the processing of the link header in HTTP responses. The issue was disclosed on February 14, 2025, and has been patched in version 9.2.1 (GitHub Advisory, NVD).

The vulnerability stems from the regular expression /<([^>]+)>; rel="deprecation"/ used to match the link header in HTTP responses. The pattern's unbounded nature and inefficient matching behavior can lead to catastrophic backtracking when processing specially crafted input. The vulnerability is classified with a CVSS v3.1 base score of 5.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L. The issue is categorized as CWE-1333 (Inefficient Regular Expression Complexity) (GitHub Advisory).

When exploited, this vulnerability can cause excessive CPU usage and potentially render the server unresponsive, leading to a denial of service condition. The impact primarily affects service availability, with no direct effect on confidentiality or integrity. The vulnerability can affect any system that uses this package to process link headers in HTTP responses, including web applications and APIs that rely on parsing headers for deprecation information (GitHub Advisory).

The vulnerability has been patched in version 9.2.1 of @octokit/request. Users are advised to upgrade to this version or later to address the issue. The fix involves modifying the regular expression pattern to prevent catastrophic backtracking (GitHub Commit).