A vulnerability was found in yarnpkg Yarn up to 1.22.22. It has been classified as problematic. Affected is the function explodeHostedGitFragment of the file src/resolvers/exotics/hosted-git-resolver.js. The manipulation leads to inefficient regular expression complexity. It is possible to launch the attack remotely. The patch is identified as 97731871e674bf93bcbf29e9d3258da8685f3076. It is recommended to apply a patch to fix this issue.
History

Thu, 31 Jul 2025 19:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:yarnpkg:yarn:*:*:*:*:*:*:*:*

Mon, 28 Jul 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 28 Jul 2025 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Yarnpkg
Yarnpkg yarn
Vendors & Products Yarnpkg
Yarnpkg yarn

Mon, 28 Jul 2025 07:15:00 +0000

Type Values Removed Values Added
Description A vulnerability was found in yarnpkg Yarn up to 1.22.22. It has been classified as problematic. Affected is the function explodeHostedGitFragment of the file src/resolvers/exotics/hosted-git-resolver.js. The manipulation leads to inefficient regular expression complexity. It is possible to launch the attack remotely. The patch is identified as 97731871e674bf93bcbf29e9d3258da8685f3076. It is recommended to apply a patch to fix this issue.
Title yarnpkg Yarn hosted-git-resolver.js explodeHostedGitFragment redos
Weaknesses CWE-1333
CWE-400
References
Metrics cvssV2_0

{'score': 4, 'vector': 'AV:N/AC:L/Au:S/C:N/I:N/A:P/E:ND/RL:OF/RC:C'}

cvssV3_0

{'score': 4.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:X/RL:O/RC:C'}

cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:X/RL:O/RC:C'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X'}


cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2025-07-28T07:02:05.616Z

Updated: 2025-07-28T17:16:45.501Z

Reserved: 2025-07-26T16:24:06.079Z

Link: CVE-2025-8262

cve-icon Vulnrichment

Updated: 2025-07-28T17:16:41.983Z

cve-icon NVD

Status : Analyzed

Published: 2025-07-28T07:15:25.447

Modified: 2025-07-31T19:16:47.320

Link: CVE-2025-8262

cve-icon Redhat

No data.