GitHub Community
Replies: 3 comments 1 reply
-
|
💬 Your Product Feedback Has Been Submitted 🎉 Thank you for taking the time to share your insights with us! Your feedback is invaluable as we build a better GitHub experience for all our users. Here's what you can expect moving forward ⏩
Where to look to see what's shipping 👀
What you can do in the meantime 💻
As a member of the GitHub community, your participation is essential. While we can't promise that every suggestion will be implemented, we want to emphasize that your feedback is instrumental in guiding our decisions and priorities. Thank you once again for your contribution to making GitHub even better! We're grateful for your ongoing support and collaboration in shaping the future of our platform. ⭐ |
Beta Was this translation helpful? Give feedback.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
-
|
It looks like the NPM database is oversimplifying the vulnerability details compared to the GitHub Security Advisory (GHSA). A few key discrepancies stand out: Issues with NPM API Data
GitHub's advisory provides two separate version ranges:
NPM API lists the range as >=1.0.0 <9.2.1, which falsely suggests that all @octokit/request versions below 9.2.1 are affected, even though 8.4.1 and later 8.x versions are safe.
GitHub clearly specifies first_patched_version fields (8.4.1 and 9.2.1). NPM API lacks this crucial detail, leading to misleading security warnings when installing already-fixed versions like @octokit/request@8.4.1.
GitHub: Categorizes this as "medium" severity. NPM: Labels it as "moderate," which is slightly different but could impact decision-making in automated security audits. Impact of This Issue Users installing @octokit/request@8.x may receive incorrect warnings, causing unnecessary concern or unnecessary package updates. Automated security scans (e.g., npm audit) might flag safe versions due to the incorrect version range. Developers may switch to a newer version unnecessarily, leading to potential dependency conflicts. Potential Fixes or Workarounds Manually verify advisories using the GitHub API instead of relying solely on npm audit. Use npm audit --json and compare results with the GitHub Advisory API before acting. File an issue with NPM to request more precise version ranges in their advisories. |
Beta Was this translation helpful? Give feedback.
-
It seems that the npm database for vulnerabilities is either out of date with GHSA or is over simplifying fixed and affected versions.
For example, when users install
@octokit/request@8they get a warning stating that the package has a vulnerability, when in fact it has been resolved.Reference: octokit/graphql.js#638
Look at the response given by the GitHub API (https://api.github.com/advisories/GHSA-rmvr-2pp2-xj38) and then compare it to the response from the NPM API (https://registry.npmjs.org/-/npm/v1/security/advisories/bulk)
GitHub API:
{ "ghsa_id": "GHSA-rmvr-2pp2-xj38", "cve_id": "CVE-2025-25290", "url": "https://api.github.com/advisories/GHSA-rmvr-2pp2-xj38", "html_url": "https://github.com/advisories/GHSA-rmvr-2pp2-xj38", "summary": "@octokit/request has a Regular Expression in fetchWrapper that Leads to ReDoS Vulnerability Due to Catastrophic Backtracking", "description": "### Summary\nThe regular expression `/<([^>]+)>; rel=\"deprecation\"/` used to match the `link` header in HTTP responses is vulnerable to a ReDoS (Regular Expression Denial of Service) attack. This vulnerability arises due to the unbounded nature of the regex's matching behavior, which can lead to catastrophic backtracking when processing specially crafted input. An attacker could exploit this flaw by sending a malicious `link` header, resulting in excessive CPU usage and potentially causing the server to become unresponsive, impacting service availability.\n### Details\nThe vulnerability resides in the regular expression `/<([^>]+)>; rel=\"deprecation\"/`, which is used to match the `link` header in HTTP responses. This regular expression captures content between angle brackets (`<>`) followed by `; rel=\"deprecation\"`. However, the pattern is vulnerable to ReDoS (Regular Expression Denial of Service) attacks due to its susceptibility to catastrophic backtracking when processing malicious input.\nAn attacker can exploit this vulnerability by sending a specially crafted `link` header designed to trigger excessive backtracking. For example, the following headers:\n```js\nfakeHeaders.set(\"link\", \"<\".repeat(100000) + \">\");\nfakeHeaders.set(\"deprecation\", \"true\");\n```\nThe crafted `link` header consists of 100,000 consecutive `<` characters followed by a closing `>`. This input forces the regular expression engine to backtrack extensively in an attempt to match the pattern. As a result, the server can experience a significant increase in CPU usage, which may lead to denial of service, making the server unresponsive or even causing it to crash under load.\nThe issue is present in the following code:\n```js\nconst matches = responseHeaders.link && responseHeaders.link.match(/<([^>]+)>; rel=\"deprecation\"/);\n```\nIn this scenario, the `link` header value triggers the regex to perform excessive backtracking, resulting in resource exhaustion and potentially causing the service to become unavailable.\n\n### PoC\n[The gist of PoC.js](https://gist.github.com/ShiyuBanzhou/2afdabf0fc4cb6cfbd3b1d58b6082f6a)\n1. run npm i @octokit/request\n2. run 'node poc.js'\nresult:\n3. then the program will stuck forever with high CPU usage\n```js\nimport { request } from \"@octokit/request\";\nconst originalFetch = globalThis.fetch;\nglobalThis.fetch = async (url, options) => {\n const response = await originalFetch(url, options);\n const fakeHeaders = new Headers(response.headers);\n fakeHeaders.set(\"link\", \"<\".repeat(100000) + \">\");\n fakeHeaders.set(\"deprecation\", \"true\");\n return new Response(response.body, {\n status: response.status,\n statusText: response.statusText,\n headers: fakeHeaders\n });\n};\nrequest(\"GET /repos/octocat/hello-world\")\n .then(response => {\n // console.log(\"[+] Response received:\", response);\n })\n .catch(error => {\n // console.error(\"[-] Error:\", error);\n });\n// globalThis.fetch = originalFetch;\n```\n### Impact\nThis is a *Denial of Service (DoS) vulnerability* caused by a *ReDoS (Regular Expression Denial of Service)* flaw. The vulnerability allows an attacker to craft a malicious `link` header that exploits the inefficient backtracking behavior of the regular expression used in the code.\nThe primary impact is the potential for *server resource exhaustion*, specifically high CPU usage, which can cause the server to become unresponsive or even crash when processing the malicious request. This affects the availability of the service, leading to downtime or degraded performance.\nThe vulnerability impacts any system that uses this specific regular expression to process `link` headers in HTTP responses. This can include:\n* Web applications or APIs that rely on parsing headers for deprecation information.\n* Users interacting with the affected service, as they may experience delays or outages if the server becomes overwhelmed.\n* Service providers who may face disruption in operations or performance degradation due to this flaw.\nIf left unpatched, the vulnerability can be exploited by any unauthenticated user who is able to send a specially crafted HTTP request with a malicious `link` header, making it a low-barrier attack that could be exploited by anyone.", "type": "reviewed", "severity": "medium", "repository_advisory_url": "https://api.github.com/repos/octokit/request.js/security-advisories/GHSA-rmvr-2pp2-xj38", "source_code_location": "https://github.com/octokit/request.js", "identifiers": [ { "value": "GHSA-rmvr-2pp2-xj38", "type": "GHSA" }, { "value": "CVE-2025-25290", "type": "CVE" } ], "references": [ "https://github.com/octokit/request.js/security/advisories/GHSA-rmvr-2pp2-xj38", "https://github.com/octokit/request.js/commit/34ff07ee86fc5c20865982d77391bc910ef19c68", "https://nvd.nist.gov/vuln/detail/CVE-2025-25290", "https://github.com/octokit/request.js/releases/tag/v8.4.1", "https://github.com/advisories/GHSA-rmvr-2pp2-xj38" ], "published_at": "2025-02-14T18:00:18Z", "updated_at": "2025-02-18T19:17:42Z", "github_reviewed_at": "2025-02-14T18:00:18Z", "nvd_published_at": "2025-02-14T20:15:35Z", "withdrawn_at": null, "vulnerabilities": [ { "package": { "ecosystem": "npm", "name": "@octokit/request" }, "vulnerable_version_range": ">= 9.0.0-beta.1, < 9.2.1", "first_patched_version": "9.2.1", "vulnerable_functions": [ ] }, { "package": { "ecosystem": "npm", "name": "@octokit/request" }, "vulnerable_version_range": ">= 1.0.0, < 8.4.1", "first_patched_version": "8.4.1", "vulnerable_functions": [ ] } ], "cvss_severities": { "cvss_v3": { "vector_string": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "score": 5.3 }, "cvss_v4": { "vector_string": null, "score": 0.0 } }, "cwes": [ { "cwe_id": "CWE-1333", "name": "Inefficient Regular Expression Complexity" } ], "credits": [ ], "cvss": { "vector_string": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "score": 5.3 }, "epss": { "percentage": 0.00043, "percentile": 0.1166 } }NPM API:
{ "@octokit/request": [ { "id": 1102260, "url": "https://github.com/advisories/GHSA-rmvr-2pp2-xj38", "title": "@octokit/request has a Regular Expression in fetchWrapper that Leads to ReDoS Vulnerability Due to Catastrophic Backtracking", "severity": "moderate", "vulnerable_versions": ">=1.0.0 <9.2.1", "cwe": [ "CWE-1333" ], "cvss": { "score": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" } } ] }Beta Was this translation helpful? Give feedback.
All reactions