Octokit Plugin Paginate Rest Regular Expression Denial-of-Service Vulnerability

A Regular Expression Denial-of-Service (ReDoS) vulnerability has been identified in the Octokit plugin for paginating REST API responses, specifically in versions 1.0.0 and prior to 11.4.1. The vulnerability arises when `octokit.paginate.iterator()` is called with a crafted `octokit` instance that includes a malicious `link` header. This exploitation triggers excessive backtracking in the regular expression used to parse the `Link` header, leading to high CPU usage and potential service slowdowns or freezes.

Impact

Exploitation of this vulnerability causes high CPU utilization, leading to performance degradation and possible unresponsiveness of the service processing the affected API requests.

Reproduction

To reproduce this vulnerability, create an Octokit instance with the paginate REST plugin. Inject a malicious `link` header containing a large number of repeated characters into the request. Then, call the `paginate.iterator()` method on a GitHub repository endpoint, such as issues, which will process the injected header. The application will experience a significant increase in CPU usage and may become unresponsive.

Remediation

Users can upgrade to version 11.4.1 or later of the `@octokit/plugin-paginate-rest` package to address this vulnerability.