Inefficient Regular Expression Complexity in Yarn by yarnpkg
CVE-2025-9308

4.8MEDIUM

Key Information:

Vendor: Yarnpkg
Status: Yarn
Vendor: CVE Published:; 21 August 2025

What is CVE-2025-9308?

A vulnerability exists in the Yarn package manager, specifically in the setOptions function located in src/util/request-manager.js. This flaw results in inefficient regular expression complexity, posing a risk that could be exploited by users with local access. It primarily affects versions of Yarn that are no longer maintained, making them more susceptible to potential manipulations.

Affected Version(s)

Yarn 1.22.0

Yarn 1.22.1

Yarn 1.22.2

References

https://vuldb.com/?id.320913

vdb-entrytechnical-description

https://vuldb.com/?ctiid.320913

signaturepermissions-required

https://vuldb.com/?submit.633486

third-party-advisory

CVSS V4

Score:

4.8

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

Low

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 21, 2025
Vulnerability Reserved
Aug 21, 2025

Credit

mmmsssttt (VulDB User)

Yarnpkg

What is CVE-2025-9308?

Affected Version(s)

References

CVSS V4

Timeline

Credit