CVE-2025-9308
BaseFortify
Publication date: 2025-08-21
Last updated on: 2025-09-12
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| yarnpkg | yarn | to 1.22.22 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1333 | The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles. |
| CWE-400 | The product does not properly control the allocation and maintenance of a limited resource. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in yarnpkg Yarn versions up to 1.22.22, specifically in the setOptions function of the src/util/request-manager.js file. It involves manipulation that leads to inefficient regular expression complexity, which can be exploited locally by an attacker with access to the system.
How can this vulnerability impact me? :
The vulnerability can cause inefficient regular expression processing, potentially leading to performance degradation or denial of service conditions when exploited locally. However, it requires local access to the system and affects only unsupported versions of the product.
What immediate steps should I take to mitigate this vulnerability?
Since this vulnerability affects yarnpkg Yarn up to version 1.22.22 and requires local access, the immediate mitigation step is to upgrade to a supported version of Yarn that is not affected by this vulnerability. If upgrading is not possible, restrict local access to the affected systems and avoid using the vulnerable function. Note that the affected products are no longer supported by the maintainer, so consider migrating to alternative tools or versions.