octokit-1.6.2.tgz: 9 vulnerabilities (highest severity is: 7.5) #32
Description
Vulnerable Library - octokit-1.6.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Found in HEAD commit: e1db6833fb15baf6aa472bac4d5a4279dd618797
Vulnerabilities
| Vulnerability | Severity |  CVSS |
Dependency | Type | Fixed in (octokit version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| CVE-2025-65945 |  High |
7.5 | jws-3.2.2.tgz | Transitive | 1.7.0 | ❌ |
| CVE-2022-23540 |  Medium |
6.4 | jsonwebtoken-8.5.1.tgz | Transitive | 1.7.0 | ❌ |
| CVE-2022-23539 | Medium |
5.9 | jsonwebtoken-8.5.1.tgz | Transitive | 1.7.0 | ❌ |
| CVE-2023-50728 | Medium |
5.4 | detected in multiple dependencies | Transitive | N/A* | ❌ |
| CVE-2025-25290 | Medium |
5.3 | request-5.6.2.tgz | Transitive | 4.0.0 | ❌ |
| CVE-2025-25289 | Medium |
5.3 | request-error-2.1.0.tgz | Transitive | N/A* | ❌ |
| CVE-2025-25288 | Medium |
5.3 | plugin-paginate-rest-2.16.7.tgz | Transitive | 4.0.0 | ❌ |
| CVE-2022-25883 | Medium |
5.3 | semver-5.7.1.tgz | Transitive | 1.7.0 | ❌ |
| CVE-2022-23541 | Medium |
5.0 | jsonwebtoken-8.5.1.tgz | Transitive | 1.7.0 | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2025-65945
Vulnerable Library - jws-3.2.2.tgz
Implementation of JSON Web Signatures
Library home page: https://registry.npmjs.org/jws/-/jws-3.2.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- octokit-1.6.2.tgz (Root Library)
- app-12.0.5.tgz
- auth-app-3.6.0.tgz
- universal-github-app-jwt-1.1.0.tgz
- jsonwebtoken-8.5.1.tgz
- ❌ jws-3.2.2.tgz (Vulnerable Library)
- jsonwebtoken-8.5.1.tgz
- universal-github-app-jwt-1.1.0.tgz
- auth-app-3.6.0.tgz
- app-12.0.5.tgz
Found in HEAD commit: e1db6833fb15baf6aa472bac4d5a4279dd618797
Found in base branch: main
Vulnerability Details
auth0/node-jws is a JSON Web Signature implementation for Node.js. In versions 3.2.2 and earlier and version 4.0.0, auth0/node-jws has an improper signature verification vulnerability when using the HS256 algorithm under specific conditions. Applications are affected when they use the jws.createVerify() function for HMAC algorithms and use user-provided data from the JSON Web Signature protected header or payload in HMAC secret lookup routines, which can allow attackers to bypass signature verification. This issue has been patched in versions 3.2.3 and 4.0.1.
Publish Date: 2025-12-04
URL: CVE-2025-65945
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-869p-cjfg-cm3x
Release Date: 2025-12-04
Fix Resolution (jws): 3.2.3
Direct dependency fix Resolution (octokit): 1.7.0
Step up your Open Source Security Game with Mend here
CVE-2022-23540
Vulnerable Library - jsonwebtoken-8.5.1.tgz
JSON Web Token implementation (symmetric and asymmetric)
Library home page: https://registry.npmjs.org/jsonwebtoken/-/jsonwebtoken-8.5.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- octokit-1.6.2.tgz (Root Library)
- app-12.0.5.tgz
- auth-app-3.6.0.tgz
- universal-github-app-jwt-1.1.0.tgz
- ❌ jsonwebtoken-8.5.1.tgz (Vulnerable Library)
- universal-github-app-jwt-1.1.0.tgz
- auth-app-3.6.0.tgz
- app-12.0.5.tgz
Found in HEAD commit: e1db6833fb15baf6aa472bac4d5a4279dd618797
Found in base branch: main
Vulnerability Details
In versions "<=8.5.1" of "jsonwebtoken" library, lack of algorithm definition in the "jwt.verify()" function can lead to signature validation bypass due to defaulting to the "none" algorithm for signature verification. Users are affected if you do not specify algorithms in the "jwt.verify()" function. This issue has been fixed, please update to version 9.0.0 which removes the default support for the none algorithm in the "jwt.verify()" method. There will be no impact, if you update to version 9.0.0 and you don’t need to allow for the "none" algorithm. If you need 'none' algorithm, you have to explicitly specify that in "jwt.verify()" options.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2022-12-22
URL: CVE-2022-23540
CVSS 3 Score Details (6.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: High
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: GHSA-qwph-4952-7xr6
Release Date: 2022-12-22
Fix Resolution (jsonwebtoken): 9.0.0
Direct dependency fix Resolution (octokit): 1.7.0
Step up your Open Source Security Game with Mend here
CVE-2022-23539
Vulnerable Library - jsonwebtoken-8.5.1.tgz
JSON Web Token implementation (symmetric and asymmetric)
Library home page: https://registry.npmjs.org/jsonwebtoken/-/jsonwebtoken-8.5.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- octokit-1.6.2.tgz (Root Library)
- app-12.0.5.tgz
- auth-app-3.6.0.tgz
- universal-github-app-jwt-1.1.0.tgz
- ❌ jsonwebtoken-8.5.1.tgz (Vulnerable Library)
- universal-github-app-jwt-1.1.0.tgz
- auth-app-3.6.0.tgz
- app-12.0.5.tgz
Found in HEAD commit: e1db6833fb15baf6aa472bac4d5a4279dd618797
Found in base branch: main
Vulnerability Details
Versions "<=8.5.1" of "jsonwebtoken" library could be misconfigured so that legacy, insecure key types are used for signature verification. For example, DSA keys could be used with the RS256 algorithm. You are affected if you are using an algorithm and a key type other than a combination listed in the GitHub Security Advisory as unaffected. This issue has been fixed, please update to version 9.0.0. This version validates for asymmetric key type and algorithm combinations. Please refer to the above mentioned algorithm / key type combinations for the valid secure configuration. After updating to version 9.0.0, if you still intend to continue with signing or verifying tokens using invalid key type/algorithm value combinations, you’ll need to set the "allowInvalidAsymmetricKeyTypes" option to "true" in the "sign()" and/or "verify()" functions.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2022-12-22
URL: CVE-2022-23539
CVSS 3 Score Details (5.9)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: High
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-8cf7-32gw-wr33
Release Date: 2022-12-22
Fix Resolution (jsonwebtoken): 9.0.0
Direct dependency fix Resolution (octokit): 1.7.0
Step up your Open Source Security Game with Mend here
CVE-2023-50728
Vulnerable Libraries - webhooks-9.15.0.tgz, octokit-1.6.2.tgz
webhooks-9.15.0.tgz
GitHub webhook events toolset for Node.js
Library home page: https://registry.npmjs.org/@octokit/webhooks/-/webhooks-9.15.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- octokit-1.6.2.tgz (Root Library)
- app-12.0.5.tgz
- ❌ webhooks-9.15.0.tgz (Vulnerable Library)
- app-12.0.5.tgz
octokit-1.6.2.tgz
The all-batteries-included GitHub SDK for Browsers, Node.js, and Deno
Library home page: https://registry.npmjs.org/octokit/-/octokit-1.6.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- ❌ octokit-1.6.2.tgz (Vulnerable Library)
Found in HEAD commit: e1db6833fb15baf6aa472bac4d5a4279dd618797
Found in base branch: main
Vulnerability Details
octokit/webhooks is a GitHub webhook events toolset for Node.js. Starting in 9.26.0 and prior to 9.26.3, 10.9.2, 11.1.2, and 12.0.4, there is a problem caused by an issue with error handling in the @octokit/webhooks library because the error can be undefined in some cases. The resulting request was found to cause an uncaught exception that ends the nodejs process. The bug is fixed in octokit/webhooks.js 9.26.3, 10.9.2, 11.1.2, and 12.0.4, app.js 14.02, octokit.js 3.1.2, and Protobot 12.3.3.
Publish Date: 2023-12-15
URL: CVE-2023-50728
CVSS 3 Score Details (5.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Adjacent
- Attack Complexity: High
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-pwfr-8pq7-x9qv
Release Date: 2023-12-15
Fix Resolution: octokit - 3.1.2,@octokit/webhooks - 9.26.3,@octokit/webhooks - 10.9.2,@octokit/webhooks - 11.1.2,probot - 12.3.3,@octokit/app - 14.0.2,@octokit/webhooks - 12.0.3
Step up your Open Source Security Game with Mend here
CVE-2025-25290
Vulnerable Library - request-5.6.2.tgz
Send parameterized requests to GitHub's APIs with sensible defaults in browsers and Node
Library home page: https://registry.npmjs.org/@octokit/request/-/request-5.6.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- octokit-1.6.2.tgz (Root Library)
- app-12.0.5.tgz
- auth-app-3.6.0.tgz
- ❌ request-5.6.2.tgz (Vulnerable Library)
- auth-app-3.6.0.tgz
- app-12.0.5.tgz
Found in HEAD commit: e1db6833fb15baf6aa472bac4d5a4279dd618797
Found in base branch: main
Vulnerability Details
@octokit/request sends parameterized requests to GitHub’s APIs with sensible defaults in browsers and Node. Starting in version 1.0.0 and prior to versions 9.2.1 and 8.4.1, the regular expression "/<([^>]+)>; rel="deprecation"/" used to match the "link" header in HTTP responses is vulnerable to a ReDoS (Regular Expression Denial of Service) attack. This vulnerability arises due to the unbounded nature of the regex's matching behavior, which can lead to catastrophic backtracking when processing specially crafted input. An attacker could exploit this flaw by sending a malicious "link" header, resulting in excessive CPU usage and potentially causing the server to become unresponsive, impacting service availability. Versions 9.2.1 and 8.4.1 fix the issue.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2025-02-14
URL: CVE-2025-25290
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: GHSA-rmvr-2pp2-xj38
Release Date: 2025-02-14
Fix Resolution (@octokit/request): 8.4.1
Direct dependency fix Resolution (octokit): 4.0.0
Step up your Open Source Security Game with Mend here
CVE-2025-25289
Vulnerable Library - request-error-2.1.0.tgz
Error class for Octokit request errors
Library home page: https://registry.npmjs.org/@octokit/request-error/-/request-error-2.1.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- octokit-1.6.2.tgz (Root Library)
- app-12.0.5.tgz
- auth-unauthenticated-2.1.0.tgz
- ❌ request-error-2.1.0.tgz (Vulnerable Library)
- auth-unauthenticated-2.1.0.tgz
- app-12.0.5.tgz
Found in HEAD commit: e1db6833fb15baf6aa472bac4d5a4279dd618797
Found in base branch: main
Vulnerability Details
@octokit/request-error is an error class for Octokit request errors. Starting in version 1.0.0 and prior to version 6.1.7, a Regular Expression Denial of Service (ReDoS) vulnerability exists in the processing of HTTP request headers. By sending an authorization header containing an excessively long sequence of spaces followed by a newline and "@", an attacker can exploit inefficient regular expression processing, leading to excessive resource consumption. This can significantly degrade server performance or cause a denial-of-service (DoS) condition, impacting availability. Version 6.1.7 contains a fix for the issue.
Publish Date: 2025-02-14
URL: CVE-2025-25289
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Release Date: 2025-02-14
Fix Resolution: @octokit/request-error - 5.1.1,6.1.7
Step up your Open Source Security Game with Mend here
CVE-2025-25288
Vulnerable Library - plugin-paginate-rest-2.16.7.tgz
Octokit plugin to paginate REST API endpoint responses
Library home page: https://registry.npmjs.org/@octokit/plugin-paginate-rest/-/plugin-paginate-rest-2.16.7.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- octokit-1.6.2.tgz (Root Library)
- ❌ plugin-paginate-rest-2.16.7.tgz (Vulnerable Library)
Found in HEAD commit: e1db6833fb15baf6aa472bac4d5a4279dd618797
Found in base branch: main
Vulnerability Details
@octokit/plugin-paginate-rest is the Octokit plugin to paginate REST API endpoint responses. For versions starting in 1.0.0 and prior to 11.4.1 of the npm package "@octokit/plugin-paginate-rest", when calling "octokit.paginate.iterator()", a specially crafted "octokit" instance—particularly with a malicious "link" parameter in the "headers" section of the "request"—can trigger a ReDoS attack. Version 11.4.1 contains a fix for the issue.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2025-02-14
URL: CVE-2025-25288
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: GHSA-h5c3-5r3r-rr8q
Release Date: 2025-02-14
Fix Resolution (@octokit/plugin-paginate-rest): 9.2.2
Direct dependency fix Resolution (octokit): 4.0.0
Step up your Open Source Security Game with Mend here
CVE-2022-25883
Vulnerable Library - semver-5.7.1.tgz
The semantic version parser used by npm.
Library home page: https://registry.npmjs.org/semver/-/semver-5.7.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- octokit-1.6.2.tgz (Root Library)
- app-12.0.5.tgz
- auth-app-3.6.0.tgz
- universal-github-app-jwt-1.1.0.tgz
- jsonwebtoken-8.5.1.tgz
- ❌ semver-5.7.1.tgz (Vulnerable Library)
- jsonwebtoken-8.5.1.tgz
- universal-github-app-jwt-1.1.0.tgz
- auth-app-3.6.0.tgz
- app-12.0.5.tgz
Found in HEAD commit: e1db6833fb15baf6aa472bac4d5a4279dd618797
Found in base branch: main
Vulnerability Details
Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2023-06-21
URL: CVE-2022-25883
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: GHSA-c2qf-rxjj-qqgw
Release Date: 2023-06-21
Fix Resolution (semver): 5.7.2
Direct dependency fix Resolution (octokit): 1.7.0
Step up your Open Source Security Game with Mend here
CVE-2022-23541
Vulnerable Library - jsonwebtoken-8.5.1.tgz
JSON Web Token implementation (symmetric and asymmetric)
Library home page: https://registry.npmjs.org/jsonwebtoken/-/jsonwebtoken-8.5.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- octokit-1.6.2.tgz (Root Library)
- app-12.0.5.tgz
- auth-app-3.6.0.tgz
- universal-github-app-jwt-1.1.0.tgz
- ❌ jsonwebtoken-8.5.1.tgz (Vulnerable Library)
- universal-github-app-jwt-1.1.0.tgz
- auth-app-3.6.0.tgz
- app-12.0.5.tgz
Found in HEAD commit: e1db6833fb15baf6aa472bac4d5a4279dd618797
Found in base branch: main
Vulnerability Details
jsonwebtoken is an implementation of JSON Web Tokens. Versions "<= 8.5.1" of "jsonwebtoken" library can be misconfigured so that passing a poorly implemented key retrieval function referring to the "secretOrPublicKey" argument from the readme link will result in incorrect verification of tokens. There is a possibility of using a different algorithm and key combination in verification, other than the one that was used to sign the tokens. Specifically, tokens signed with an asymmetric public key could be verified with a symmetric HS256 algorithm. This can lead to successful validation of forged tokens. If your application is supporting usage of both symmetric key and asymmetric key in jwt.verify() implementation with the same key retrieval function. This issue has been patched, please update to version 9.0.0.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2022-12-22
URL: CVE-2022-23541
CVSS 3 Score Details (5.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: GHSA-hjrf-2m68-5959
Release Date: 2022-12-22
Fix Resolution (jsonwebtoken): 9.0.0
Direct dependency fix Resolution (octokit): 1.7.0
Step up your Open Source Security Game with Mend here