CVE-2025-9308

NameCVE-2025-9308
DescriptionA vulnerability has been found in yarnpkg Yarn up to 1.22.22. This impacts the function setOptions of the file src/util/request-manager.js. Such manipulation leads to inefficient regular expression complexity. Local access is required to approach this attack. This vulnerability only affects products that are no longer supported by the maintainer.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
node-yarnpkg (PTS)bullseye1.22.10+~cs22.25.14-3vulnerable
bookworm1.22.19+~cs24.27.18-2+deb12u1vulnerable
forky, sid, trixie4.1.0+dfsg-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
node-yarnpkgsource(unstable)(unfixed)

Notes

[trixie] - node-yarnpkg <no-dsa> (Minor issue)
[bookworm] - node-yarnpkg <no-dsa> (Minor issue)
[bullseye] - node-yarnpkg <postponed> (minor issue; DoS)
https://github.com/yarnpkg/yarn/pull/9203

Search for package or bug name: Reporting problems