CVE 4.8 MEDIUM

yarnpkg Yarn request-manager.js setOptions redos_CVE-2025-9308

August 21, 2025 invoker category_cve
4.8 / 10
MEDIUM
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X

Description

A vulnerability has been found in yarnpkg Yarn up to 1.22.22. This impacts the function setOptions of the file src/util/request-manager.js. Such manipulation leads to inefficient regular expression complexity. Local access is required to approach this attack. This vulnerability only affects products that are no longer supported by the maintainer.

Basic Information

ID CVE-2025-9308
Source VulDB
Published Aug 21, 2025 at 16:02

Affected Product

Vendor yarnpkg
Product Yarn
Version 1.22.0
Affected Versions yarnpkg Yarn 1.22.0
yarnpkg Yarn 1.22.1
yarnpkg Yarn 1.22.2
yarnpkg Yarn 1.22.3
yarnpkg Yarn 1.22.4
yarnpkg Yarn 1.22.5
yarnpkg Yarn 1.22.6
yarnpkg Yarn 1.22.7
yarnpkg Yarn 1.22.8
yarnpkg Yarn 1.22.9
yarnpkg Yarn 1.22.10
yarnpkg Yarn 1.22.11
yarnpkg Yarn 1.22.12
yarnpkg Yarn 1.22.13
yarnpkg Yarn 1.22.14
yarnpkg Yarn 1.22.15
yarnpkg Yarn 1.22.16
yarnpkg Yarn 1.22.17
yarnpkg Yarn 1.22.18
yarnpkg Yarn 1.22.19
yarnpkg Yarn 1.22.20
yarnpkg Yarn 1.22.21
yarnpkg Yarn 1.22.22

CWE Classification

CWE-1333 CWE-400

References

💭 Join the Security Discussion

🔒 Your email address will not be published. Required fields are marked *

⚠️ Please be respectful and constructive in your comments. Security discussions should remain professional.