CVE-2025-8262
BaseFortify
Publication date: 2025-07-28
Last updated on: 2025-07-31
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| yarnpkg | yarn | to 1.22.22 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1333 | The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles. |
| CWE-400 | The product does not properly control the allocation and maintenance of a limited resource. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-8262 is a Regular Expression Denial of Service (ReDoS) vulnerability in yarnpkg Yarn versions up to 1.22.22. It affects the function explodeHostedGitFragment in the file src/resolvers/exotics/hosted-git-resolver.js. The vulnerability arises from inefficient regular expressions that can cause excessive CPU consumption due to exponential worst-case complexity when processing specially crafted input. This can be exploited remotely without authentication to degrade performance or cause the application to become unresponsive. [1, 2, 3]
How can this vulnerability impact me? :
This vulnerability can lead to a denial of service condition by causing Yarn to consume excessive CPU resources, potentially freezing or making the application unresponsive. Attackers can exploit this remotely by sending specially crafted inputs that trigger inefficient regular expression processing, degrading system availability and performance. [1, 2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unusually high CPU usage or application freezing when Yarn processes certain inputs, especially those involving hosted Git fragments. Detection can also involve testing the vulnerable function by running modified test cases in the file `tests/resolvers/exotics/hosted-git-resolver.js` to observe performance degradation. Specific commands include cloning the Yarn repository, installing dependencies, and running the test suite with the modified test file to trigger the inefficient regular expression behavior. For example: 1. git clone https://github.com/yarnpkg/yarn.git 2. cd yarn 3. npm install 4. Modify or use the test file `tests/resolvers/exotics/hosted-git-resolver.js` with crafted inputs 5. npm test Monitoring system CPU usage during these tests can help detect the vulnerability's impact. [3]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to apply the patch identified by commit `97731871e674bf93bcbf29e9d3258da8685f3076` which updates the inefficient regular expressions in the `explodeHostedGitFragment` function to prevent excessive backtracking and CPU consumption. This patch is available in the Yarn GitHub repository and should be applied as soon as possible. Until the patch is applied, avoid processing untrusted or maliciously crafted hosted Git fragments that could trigger the vulnerability. Monitoring and limiting resource usage for Yarn processes can also help mitigate impact. [1, 3]