{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-8262", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2025-07-26T16:24:06.079Z", "datePublished": "2025-07-28T07:02:05.616Z", "dateUpdated": "2025-07-28T17:16:45.501Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2025-07-28T07:02:05.616Z"}, "title": "yarnpkg Yarn hosted-git-resolver.js explodeHostedGitFragment redos", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-1333", "lang": "en", "description": "Inefficient Regular Expression Complexity"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-400", "lang": "en", "description": "Resource Consumption"}]}], "affected": [{"vendor": "yarnpkg", "product": "Yarn", "versions": [{"version": "1.22.0", "status": "affected"}, {"version": "1.22.1", "status": "affected"}, {"version": "1.22.2", "status": "affected"}, {"version": "1.22.3", "status": "affected"}, {"version": "1.22.4", "status": "affected"}, {"version": "1.22.5", "status": "affected"}, {"version": "1.22.6", "status": "affected"}, {"version": "1.22.7", "status": "affected"}, {"version": "1.22.8", "status": "affected"}, {"version": "1.22.9", "status": "affected"}, {"version": "1.22.10", "status": "affected"}, {"version": "1.22.11", "status": "affected"}, {"version": "1.22.12", "status": "affected"}, {"version": "1.22.13", "status": "affected"}, {"version": "1.22.14", "status": "affected"}, {"version": "1.22.15", "status": "affected"}, {"version": "1.22.16", "status": "affected"}, {"version": "1.22.17", "status": "affected"}, {"version": "1.22.18", "status": "affected"}, {"version": "1.22.19", "status": "affected"}, {"version": "1.22.20", "status": "affected"}, {"version": "1.22.21", "status": "affected"}, {"version": "1.22.22", "status": "affected"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability was found in yarnpkg Yarn up to 1.22.22. It has been classified as problematic. Affected is the function explodeHostedGitFragment of the file src/resolvers/exotics/hosted-git-resolver.js. The manipulation leads to inefficient regular expression complexity. It is possible to launch the attack remotely. The patch is identified as 97731871e674bf93bcbf29e9d3258da8685f3076. It is recommended to apply a patch to fix this issue."}, {"lang": "de", "value": "Es wurde eine problematische Schwachstelle in yarnpkg Yarn bis 1.22.22 ausgemacht. Es betrifft die Funktion explodeHostedGitFragment der Datei src/resolvers/exotics/hosted-git-resolver.js. Mittels dem Manipulieren mit unbekannten Daten kann eine inefficient regular expression complexity-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk erfolgen. Der Patch wird als 97731871e674bf93bcbf29e9d3258da8685f3076 bezeichnet. Als bestm\u00f6gliche Massnahme wird Patching empfohlen."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:X/RL:O/RC:C", "baseSeverity": "MEDIUM"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 4.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:X/RL:O/RC:C", "baseSeverity": "MEDIUM"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 4, "vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P/E:ND/RL:OF/RC:C"}}], "timeline": [{"time": "2025-07-26T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2025-07-26T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2025-07-26T18:29:39.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "mmmsssttt (VulDB User)", "type": "reporter"}], "references": [{"url": "https://vuldb.com/?id.317850", "name": "VDB-317850 | yarnpkg Yarn hosted-git-resolver.js explodeHostedGitFragment redos", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.317850", "name": "VDB-317850 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.617393", "name": "Submit #617393 | Yarn v1.22.22 Inefficient Regular Expression Complexity", "tags": ["third-party-advisory"]}, {"url": "https://github.com/yarnpkg/yarn/pull/9199", "tags": ["issue-tracking"]}, {"url": "https://github.com/yarnpkg/yarn/pull/9199/commits/97731871e674bf93bcbf29e9d3258da8685f3076", "tags": ["issue-tracking", "patch"]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-07-28T17:13:41.425895Z", "id": "CVE-2025-8262", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-28T17:16:45.501Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-8262", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-07-28T17:13:41.425895Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-28T17:16:41.983Z"}}], "cna": {"title": "yarnpkg Yarn hosted-git-resolver.js explodeHostedGitFragment redos", "credits": [{"lang": "en", "type": "reporter", "value": "mmmsssttt (VulDB User)"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:X/RL:O/RC:C"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:X/RL:O/RC:C"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 4, "vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P/E:ND/RL:OF/RC:C"}}], "affected": [{"vendor": "yarnpkg", "product": "Yarn", "versions": [{"status": "affected", "version": "1.22.0"}, {"status": "affected", "version": "1.22.1"}, {"status": "affected", "version": "1.22.2"}, {"status": "affected", "version": "1.22.3"}, {"status": "affected", "version": "1.22.4"}, {"status": "affected", "version": "1.22.5"}, {"status": "affected", "version": "1.22.6"}, {"status": "affected", "version": "1.22.7"}, {"status": "affected", "version": "1.22.8"}, {"status": "affected", "version": "1.22.9"}, {"status": "affected", "version": "1.22.10"}, {"status": "affected", "version": "1.22.11"}, {"status": "affected", "version": "1.22.12"}, {"status": "affected", "version": "1.22.13"}, {"status": "affected", "version": "1.22.14"}, {"status": "affected", "version": "1.22.15"}, {"status": "affected", "version": "1.22.16"}, {"status": "affected", "version": "1.22.17"}, {"status": "affected", "version": "1.22.18"}, {"status": "affected", "version": "1.22.19"}, {"status": "affected", "version": "1.22.20"}, {"status": "affected", "version": "1.22.21"}, {"status": "affected", "version": "1.22.22"}]}], "timeline": [{"lang": "en", "time": "2025-07-26T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2025-07-26T02:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2025-07-26T18:29:39.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/?id.317850", "name": "VDB-317850 | yarnpkg Yarn hosted-git-resolver.js explodeHostedGitFragment redos", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.317850", "name": "VDB-317850 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.617393", "name": "Submit #617393 | Yarn v1.22.22 Inefficient Regular Expression Complexity", "tags": ["third-party-advisory"]}, {"url": "https://github.com/yarnpkg/yarn/pull/9199", "tags": ["issue-tracking"]}, {"url": "https://github.com/yarnpkg/yarn/pull/9199/commits/97731871e674bf93bcbf29e9d3258da8685f3076", "tags": ["issue-tracking", "patch"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was found in yarnpkg Yarn up to 1.22.22. It has been classified as problematic. Affected is the function explodeHostedGitFragment of the file src/resolvers/exotics/hosted-git-resolver.js. The manipulation leads to inefficient regular expression complexity. It is possible to launch the attack remotely. The patch is identified as 97731871e674bf93bcbf29e9d3258da8685f3076. It is recommended to apply a patch to fix this issue."}, {"lang": "de", "value": "Es wurde eine problematische Schwachstelle in yarnpkg Yarn bis 1.22.22 ausgemacht. Es betrifft die Funktion explodeHostedGitFragment der Datei src/resolvers/exotics/hosted-git-resolver.js. Mittels dem Manipulieren mit unbekannten Daten kann eine inefficient regular expression complexity-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk erfolgen. Der Patch wird als 97731871e674bf93bcbf29e9d3258da8685f3076 bezeichnet. Als bestm\u00f6gliche Massnahme wird Patching empfohlen."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1333", "description": "Inefficient Regular Expression Complexity"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-400", "description": "Resource Consumption"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2025-07-28T07:02:05.616Z"}}}, "cveMetadata": {"cveId": "CVE-2025-8262", "state": "PUBLISHED", "dateUpdated": "2025-07-28T17:16:45.501Z", "dateReserved": "2025-07-26T16:24:06.079Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2025-07-28T07:02:05.616Z", "assignerShortName": "VulDB"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:yarnpkg:yarn:*:*:*:*:*:*:*:*", "matchCriteriaId": "E0ACE16B-A776-4707-AB1A-BD46CA1E53CA", "versionEndIncluding": "1.22.22", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was found in yarnpkg Yarn up to 1.22.22. It has been classified as problematic. Affected is the function explodeHostedGitFragment of the file src/resolvers/exotics/hosted-git-resolver.js. The manipulation leads to inefficient regular expression complexity. It is possible to launch the attack remotely. The patch is identified as 97731871e674bf93bcbf29e9d3258da8685f3076. It is recommended to apply a patch to fix this issue."}, {"lang": "es", "value": "Se encontr\u00f3 una vulnerabilidad en yarnpkg Yarn hasta la versi\u00f3n 1.22.22. Se ha clasificado como problem\u00e1tica. La funci\u00f3n \"exploitHostedGitFragment\" del archivo src/resolvers/exotics/hosted-git-resolver.js est\u00e1 afectada. La manipulaci\u00f3n genera una complejidad ineficiente en las expresiones regulares. El ataque podr\u00eda iniciarse en remoto. El parche se identifica como 97731871e674bf93bcbf29e9d3258da8685f3076. Se recomienda aplicar un parche para solucionar este problema."}], "id": "CVE-2025-8262", "lastModified": "2025-07-31T19:16:47.320", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 4.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "cna@vuldb.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2025-07-28T07:15:25.447", "references": [{"source": "cna@vuldb.com", "tags": ["Exploit"], "url": "https://github.com/yarnpkg/yarn/pull/9199"}, {"source": "cna@vuldb.com", "tags": ["Patch"], "url": "https://github.com/yarnpkg/yarn/pull/9199/commits/97731871e674bf93bcbf29e9d3258da8685f3076"}, {"source": "cna@vuldb.com", "tags": ["Permissions Required", "VDB Entry"], "url": "https://vuldb.com/?ctiid.317850"}, {"source": "cna@vuldb.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "https://vuldb.com/?id.317850"}, {"source": "cna@vuldb.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "https://vuldb.com/?submit.617393"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}, {"lang": "en", "value": "CWE-1333"}], "source": "cna@vuldb.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-1333"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"created": "2025-07-28T12:45:40.073648+00:00", "updated": "2025-07-28T12:45:40.073700+00:00", "vendors": ["yarnpkg", "yarnpkg$PRODUCT$yarn"]}