yarnpkg Yarn hosted-git-resolver.js explodeHostedGitFragment redos_CVE-2025-8262

5.3 / 10

MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X

Description

A vulnerability was found in yarnpkg Yarn up to 1.22.22. It has been classified as problematic. Affected is the function explodeHostedGitFragment of the file src/resolvers/exotics/hosted-git-resolver.js. The manipulation leads to inefficient regular expression complexity. It is possible to launch the attack remotely. The patch is identified as 97731871e674bf93bcbf29e9d3258da8685f3076. It is recommended to apply a patch to fix this issue.

Basic Information

ID CVE-2025-8262

Source VulDB

Published Jul 28, 2025 at 07:02

Modified Jul 28, 2025 at 17:16

Affected Product

Vendor yarnpkg

Product Yarn

Version 1.22.0

Affected Versions yarnpkg Yarn 1.22.0
yarnpkg Yarn 1.22.1
yarnpkg Yarn 1.22.2
yarnpkg Yarn 1.22.3
yarnpkg Yarn 1.22.4
yarnpkg Yarn 1.22.5
yarnpkg Yarn 1.22.6
yarnpkg Yarn 1.22.7
yarnpkg Yarn 1.22.8
yarnpkg Yarn 1.22.9
yarnpkg Yarn 1.22.10
yarnpkg Yarn 1.22.11
yarnpkg Yarn 1.22.12
yarnpkg Yarn 1.22.13
yarnpkg Yarn 1.22.14
yarnpkg Yarn 1.22.15
yarnpkg Yarn 1.22.16
yarnpkg Yarn 1.22.17
yarnpkg Yarn 1.22.18
yarnpkg Yarn 1.22.19
yarnpkg Yarn 1.22.20
yarnpkg Yarn 1.22.21
yarnpkg Yarn 1.22.22

CWE Classification

CWE-1333 CWE-400

References

{
    "lastseen": "",
    "description": "A vulnerability was found in yarnpkg Yarn up to 1.22.22. It has been classified as problematic. Affected is the function explodeHostedGitFragment of the file src/resolvers/exotics/hosted-git-resolver.js. The manipulation leads to inefficient regular expression complexity. It is possible to launch the attack remotely. The patch is identified as 97731871e674bf93bcbf29e9d3258da8685f3076. It is recommended to apply a patch to fix this issue.",
    "published": "2025-07-28T07:02:05.616Z",
    "modified": "2025-07-28T17:16:45.501Z",
    "type": "cve",
    "title": "yarnpkg Yarn hosted-git-resolver.js explodeHostedGitFragment redos",
    "source": "VulDB",
    "references": "https://vuldb.com/?id.317850\nhttps://vuldb.com/?ctiid.317850\nhttps://vuldb.com/?submit.617393\nhttps://github.com/yarnpkg/yarn/pull/9199\nhttps://github.com/yarnpkg/yarn/pull/9199/commits/97731871e674bf93bcbf29e9d3258da8685f3076",
    "id": "CVE-2025-8262",
    "bulletinFamily": "",
    "cwe": [
        "CWE-1333",
        "CWE-400"
    ],
    "cvelist": null,
    "sourceData": "yarnpkg Yarn 1.22.0\nyarnpkg Yarn 1.22.1\nyarnpkg Yarn 1.22.2\nyarnpkg Yarn 1.22.3\nyarnpkg Yarn 1.22.4\nyarnpkg Yarn 1.22.5\nyarnpkg Yarn 1.22.6\nyarnpkg Yarn 1.22.7\nyarnpkg Yarn 1.22.8\nyarnpkg Yarn 1.22.9\nyarnpkg Yarn 1.22.10\nyarnpkg Yarn 1.22.11\nyarnpkg Yarn 1.22.12\nyarnpkg Yarn 1.22.13\nyarnpkg Yarn 1.22.14\nyarnpkg Yarn 1.22.15\nyarnpkg Yarn 1.22.16\nyarnpkg Yarn 1.22.17\nyarnpkg Yarn 1.22.18\nyarnpkg Yarn 1.22.19\nyarnpkg Yarn 1.22.20\nyarnpkg Yarn 1.22.21\nyarnpkg Yarn 1.22.22",
    "sourceHref": "",
    "cvss": {
        "score": 5.3,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Yarn",
    "version": "1.22.0",
    "vendor": "yarnpkg",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}