CVE-2025-8262

NameCVE-2025-8262
DescriptionA vulnerability was found in yarnpkg Yarn up to 1.22.22. It has been classified as problematic. Affected is the function explodeHostedGitFragment of the file src/resolvers/exotics/hosted-git-resolver.js. The manipulation leads to inefficient regular expression complexity. It is possible to launch the attack remotely. The patch is identified as 97731871e674bf93bcbf29e9d3258da8685f3076. It is recommended to apply a patch to fix this issue.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1110609

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
node-yarnpkg (PTS)bullseye1.22.10+~cs22.25.14-3vulnerable
bookworm1.22.19+~cs24.27.18-2+deb12u1vulnerable
forky, sid, trixie4.1.0+dfsg-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
node-yarnpkgsource(unstable)(unfixed)1110609

Notes

[trixie] - node-yarnpkg <no-dsa> (Minor issue)
[bookworm] - node-yarnpkg <no-dsa> (Minor issue)
[bullseye] - node-yarnpkg <postponed> (minor issue; DoS)
https://github.com/yarnpkg/yarn/pull/9199

Search for package or bug name: Reporting problems