CVE-2025-9308

Summary

A vulnerability has been found in yarnpkg Yarn up to 1.22.22. This impacts the function setOptions of the file src/util/request-manager.js. Such manipulation leads to inefficient regular expression complexity. Local access is required to approach this attack. This vulnerability only affects products that are no longer supported by the maintainer.

Affected Software

VendorProductVersion RangeStatus
yarnpkgYarn1.22.0affected
yarnpkgYarn1.22.1affected
yarnpkgYarn1.22.2affected
yarnpkgYarn1.22.3affected
yarnpkgYarn1.22.4affected
yarnpkgYarn1.22.5affected
yarnpkgYarn1.22.6affected
yarnpkgYarn1.22.7affected
yarnpkgYarn1.22.8affected
yarnpkgYarn1.22.9affected
yarnpkgYarn1.22.10affected
yarnpkgYarn1.22.11affected
yarnpkgYarn1.22.12affected
yarnpkgYarn1.22.13affected
yarnpkgYarn1.22.14affected
yarnpkgYarn1.22.15affected
yarnpkgYarn1.22.16affected
yarnpkgYarn1.22.17affected
yarnpkgYarn1.22.18affected
yarnpkgYarn1.22.19affected
yarnpkgYarn1.22.20affected
yarnpkgYarn1.22.21affected
yarnpkgYarn1.22.22affected

Weaknesses

  • CWE-1333: Inefficient Regular Expression Complexity
  • CWE-400: Resource Consumption

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: partial

Additional References

References