Remote Code Execution Vulnerability in Yarn by yarnpkg
CVE-2025-8262

5.3MEDIUM

Key Information:

Vendor: Yarnpkg
Status: Yarn
Vendor: CVE Published:; 28 July 2025

What is CVE-2025-8262?

A vulnerability exists in the explodeHostedGitFragment function within the hosted-git-resolver.js file of Yarn, allowing for inefficient regular expression complexity. This creates conditions that a remote attacker could exploit, leading to performance degradation or denial-of-service outcomes. The issue has been documented and addressed in a subsequent patch (commit ID: 97731871e674bf93bcbf29e9d3258da8685f3076), and it is highly recommended that users upgrade to a safe version to mitigate the potential risks.

Affected Version(s)

Yarn 1.22.0

Yarn 1.22.1

Yarn 1.22.2

References

https://vuldb.com/?id.317850

vdb-entrytechnical-description

https://vuldb.com/?ctiid.317850

signaturepermissions-required

https://vuldb.com/?submit.617393

third-party-advisory

CVSS V4

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 28, 2025
Vulnerability Reserved
Jul 26, 2025

Credit

mmmsssttt (VulDB User)

Yarnpkg

What is CVE-2025-8262?

Affected Version(s)

References

CVSS V4

Timeline

Credit