CVE-2025-9308
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-08-21

Last updated on: 2025-09-12

Assigner: VulDB

Description
A vulnerability has been found in yarnpkg Yarn up to 1.22.22. This impacts the function setOptions of the file src/util/request-manager.js. Such manipulation leads to inefficient regular expression complexity. Local access is required to approach this attack. This vulnerability only affects products that are no longer supported by the maintainer.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-08-21
Last Modified
2025-09-12
Generated
2026-06-18
AI Q&A
2025-08-21
EPSS Evaluated
2026-06-17
NVD
CVE-2025-9308
EUVD
EUVD-2025-25475
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
yarnpkg yarn to 1.22.22 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1333 The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in yarnpkg Yarn versions up to 1.22.22, specifically in the setOptions function of the src/util/request-manager.js file. It involves manipulation that leads to inefficient regular expression complexity, which can be exploited locally by an attacker with access to the system.

Impact Analysis

The vulnerability can cause inefficient regular expression processing, potentially leading to performance degradation or denial of service conditions when exploited locally. However, it requires local access to the system and affects only unsupported versions of the product.

Mitigation Strategies

Since this vulnerability affects yarnpkg Yarn up to version 1.22.22 and requires local access, the immediate mitigation step is to upgrade to a supported version of Yarn that is not affected by this vulnerability. If upgrading is not possible, restrict local access to the affected systems and avoid using the vulnerable function. Note that the affected products are no longer supported by the maintainer, so consider migrating to alternative tools or versions.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-9308. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart