CVE-2025-8262

Public Exploit

yarnpkg Yarn hosted-git-resolver.js explodeHostedGitFragment redos

Description

A vulnerability was found in yarnpkg Yarn up to 1.22.22. It has been classified as problematic. Affected is the function explodeHostedGitFragment of the file src/resolvers/exotics/hosted-git-resolver.js. The manipulation leads to inefficient regular expression complexity. It is possible to launch the attack remotely. The patch is identified as 97731871e674bf93bcbf29e9d3258da8685f3076. It is recommended to apply a patch to fix this issue.

References

Link	Tags
https://vuldb.com/?id.317850	technical description vdb entry third party advisory
https://vuldb.com/?ctiid.317850	permissions required signature vdb entry
https://vuldb.com/?submit.617393	vdb entry third party advisory
https://github.com/yarnpkg/yarn/pull/9199	issue tracking exploit
https://github.com/yarnpkg/yarn/pull/9199/commits/97731871e674bf93bcbf29e9d3258da8685f3076	patch issue tracking

Frequently Asked Questions

What is the severity of CVE-2025-8262?: CVE-2025-8262 has been scored as a medium severity vulnerability.
How to fix CVE-2025-8262?: To fix CVE-2025-8262, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2025-8262 being actively exploited in the wild?: It is possible that CVE-2025-8262 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2025-8262?: CVE-2025-8262 affects yarnpkg Yarn.

Description

Categories

CWE-400 – Uncontrolled Resource Consumption

CWE-1333 – Inefficient Regular Expression Complexity

References

Frequently Asked Questions