CVE-2025-25290 is a medium-severity vulnerability classified under CWE-1333, involving inefficient regular expression complexity in the octokit request.js library. Octokit is a widely used JavaScript library for sending parameterized requests to GitHub's APIs, commonly employed in both browser and Node.js environments. The vulnerability exists in versions starting from 1.0.0 up to but excluding 9.2.1 and 8.4.1, where the regex pattern `/<([^>]+)>; rel="deprecation"/` is used to parse the HTTP 'link' header in API responses. This regex is vulnerable to catastrophic backtracking due to its unbounded matching behavior, which can be triggered by specially crafted malicious input. An attacker can exploit this by sending a maliciously crafted 'link' header to a server or client using the vulnerable octokit versions, causing the regex engine to consume excessive CPU resources. This leads to a denial of service condition by making the affected service unresponsive or significantly degraded in performance. The vulnerability affects availability only, with no direct impact on confidentiality or integrity. Exploitation requires no authentication or user interaction, making it remotely exploitable over the network. The issue was addressed in octokit versions 9.2.1 and 8.4.1, which updated the regex to prevent catastrophic backtracking. No known exploits have been reported in the wild as of the publication date. This vulnerability is particularly relevant for services and applications that rely on octokit request.js to interact with GitHub APIs, including CI/CD pipelines, developer tools, and automation scripts.

For European organizations, the primary impact of CVE-2025-25290 is on service availability. Organizations that integrate octokit request.js in their development workflows, automation tools, or backend services communicating with GitHub APIs may experience denial of service conditions if targeted with maliciously crafted HTTP headers. This can disrupt software development processes, continuous integration pipelines, and automated deployments, potentially causing delays and operational downtime. While the vulnerability does not compromise data confidentiality or integrity, the availability impact can affect business continuity and developer productivity. Organizations with large-scale software development operations or those providing developer tooling services are at higher risk. Additionally, cloud-based services or SaaS platforms that incorporate octokit request.js might face customer impact due to service degradation. The absence of authentication requirements for exploitation increases the attack surface, allowing remote attackers to trigger the issue without prior access. However, the lack of known exploits in the wild suggests limited immediate threat but warrants proactive mitigation to prevent future attacks.

To mitigate CVE-2025-25290, European organizations should: 1) Upgrade all instances of octokit request.js to version 9.2.1 or later, or 8.4.1 or later, where the regex vulnerability is fixed. 2) Implement input validation and sanitization on HTTP headers, particularly the 'link' header, to detect and reject suspicious or malformed inputs that could trigger regex backtracking. 3) Employ rate limiting and anomaly detection on API endpoints or services that process GitHub API responses to reduce the risk of resource exhaustion attacks. 4) Monitor application logs and performance metrics for unusual CPU spikes or slowdowns during API interactions that could indicate attempted exploitation. 5) For critical infrastructure, consider isolating or sandboxing components that parse external HTTP headers to limit the impact of potential DoS attacks. 6) Educate development teams about the risks of ReDoS vulnerabilities and encourage secure coding practices when handling untrusted input. 7) Review and update dependency management policies to ensure timely patching of third-party libraries. These measures collectively reduce the likelihood and impact of exploitation beyond simply upgrading the vulnerable library.