CVE-2025-8262

Summary

A vulnerability was found in yarnpkg Yarn up to 1.22.22. It has been classified as problematic. Affected is the function explodeHostedGitFragment of the file src/resolvers/exotics/hosted-git-resolver.js. The manipulation leads to inefficient regular expression complexity. It is possible to launch the attack remotely. The patch is identified as 97731871e674bf93bcbf29e9d3258da8685f3076. It is recommended to apply a patch to fix this issue.

Affected Software

VendorProductVersion RangeStatus
yarnpkgYarn1.22.0affected
yarnpkgYarn1.22.1affected
yarnpkgYarn1.22.2affected
yarnpkgYarn1.22.3affected
yarnpkgYarn1.22.4affected
yarnpkgYarn1.22.5affected
yarnpkgYarn1.22.6affected
yarnpkgYarn1.22.7affected
yarnpkgYarn1.22.8affected
yarnpkgYarn1.22.9affected
yarnpkgYarn1.22.10affected
yarnpkgYarn1.22.11affected
yarnpkgYarn1.22.12affected
yarnpkgYarn1.22.13affected
yarnpkgYarn1.22.14affected
yarnpkgYarn1.22.15affected
yarnpkgYarn1.22.16affected
yarnpkgYarn1.22.17affected
yarnpkgYarn1.22.18affected
yarnpkgYarn1.22.19affected
yarnpkgYarn1.22.20affected
yarnpkgYarn1.22.21affected
yarnpkgYarn1.22.22affected

Weaknesses

  • CWE-1333: Inefficient Regular Expression Complexity
  • CWE-400: Resource Consumption

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: partial

References