Octokit Request Error Regular Expression Denial-of-Service Vulnerability

A Regular Expression Denial-of-Service (ReDoS) vulnerability has been identified in the Octokit Request Error library, specifically in versions 1.0.0 and prior to 6.1.7. The issue arises in the processing of HTTP request headers, where an inefficient regular expression can be exploited. By sending an authorization header with a long sequence of spaces followed by a newline and '@', an attacker can cause excessive resource consumption, degrading server performance and potentially leading to a denial-of-service condition.

Impact

Exploitation of this vulnerability causes high CPU usage, which can significantly slow down or freeze the server, leading to a denial-of-service condition.

Reproduction

The vulnerability can be reproduced by sending an HTTP request with an authorization header that includes a large number of spaces, followed by a newline and the '@' character. This can be done using a script that utilizes the Octokit Request Error library, simulating a request that triggers the regular expression processing flaw.

Remediation

Users can upgrade to Octokit Request Error version 6.1.7 or later to address this vulnerability.