SCA: security update for @octokit/request (GHSA-rmvr-2pp2-xj38)

medium Tenable Self-Hosted Container Security Plugin ID 420899

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- @octokit/request sends parameterized requests to GitHub’s APIs with sensible defaults in browsers and
Node. Starting in version 1.0.0 and prior to versions 9.2.1 and 8.4.1, the regular expression `/<([^>]+)>;
rel="deprecation"/` used to match the `link` header in HTTP responses is vulnerable to a ReDoS (Regular
Expression Denial of Service) attack. This vulnerability arises due to the unbounded nature of the regex's
matching behavior, which can lead to catastrophic backtracking when processing specially crafted input. An
attacker could exploit this flaw by sending a malicious `link` header, resulting in excessive CPU usage
and potentially causing the server to become unresponsive, impacting service availability. Versions 9.2.1
and 8.4.1 fix the issue. (CVE-2025-25290)

See Also

https://github.com/advisories/GHSA-rmvr-2pp2-xj38

Plugin Details

Severity: Medium

ID: 420899

Version: Revision 1.16

Type: Local

Family: SCA Checks

Published: 2/14/2025

Updated: 6/1/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3.2

Percentile: 51.15

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSS Score Source: CVE-2025-25290

CVSS v3

Risk Factor: Medium

Base Score: 5.3

Temporal Score: 4.6

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 2/14/2025

Vulnerability Publication Date: 2/14/2025

Reference Information

CVE: CVE-2025-25290