CVE-2025-8262

Name
CVE-2025-8262
Description
A vulnerability was found in yarnpkg Yarn up to 1.22.22. It has been classified as problematic. Affected is the function explodeHostedGitFragment of the file src/resolvers/exotics/hosted-git-resolver.js. The manipulation leads to inefficient regular expression complexity. It is possible to launch the attack remotely. The patch is identified as 97731871e674bf93bcbf29e9d3258da8685f3076. It is recommended to apply a patch to fix this issue.
NVD Severity
medium
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
issue-tracking https://github.com/yarnpkg/yarn/pull/9199
issue-tracking https://github.com/yarnpkg/yarn/pull/9199/commits/97731871e674bf93bcbf29e9d3258da8685f3076
signature https://vuldb.com/?ctiid.317850
vdb-entry https://vuldb.com/?id.317850
third-party-advisory https://vuldb.com/?submit.617393

Match rules

CPE URI Source package Min version Max version
yarn == 1.22.0 == 1.22.0
yarn == 1.22.1 == 1.22.1
yarn == 1.22.2 == 1.22.2
yarn == 1.22.3 == 1.22.3
yarn == 1.22.4 == 1.22.4
yarn == 1.22.5 == 1.22.5
yarn == 1.22.6 == 1.22.6
yarn == 1.22.7 == 1.22.7
yarn == 1.22.8 == 1.22.8
yarn == 1.22.9 == 1.22.9
yarn == 1.22.10 == 1.22.10
yarn == 1.22.11 == 1.22.11
yarn == 1.22.12 == 1.22.12
yarn == 1.22.13 == 1.22.13
yarn == 1.22.14 == 1.22.14
yarn == 1.22.15 == 1.22.15
yarn == 1.22.16 == 1.22.16
yarn == 1.22.17 == 1.22.17
yarn == 1.22.18 == 1.22.18
yarn == 1.22.19 == 1.22.19
yarn == 1.22.20 == 1.22.20
yarn == 1.22.21 == 1.22.21
yarn == 1.22.22 == 1.22.22

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
yarn edge-community 1.22.22-r1 Ed Robinson <ed@reevoo.com> possibly vulnerable
yarn 3.22-community 1.22.22-r1 Ed Robinson <ed@reevoo.com> possibly vulnerable