CVE-2025-9308

Source
https://cve.org/CVERecord?id=CVE-2025-9308
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-9308.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-9308
Downstream
Published
2025-08-21T16:02:12.172Z
Modified
2026-07-15T01:49:10.759784796Z
Severity
  • 4.8 (Medium) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X CVSS Calculator
Summary
yarnpkg Yarn request-manager.js setOptions redos
Details

A vulnerability has been found in yarnpkg Yarn up to 1.22.22. This impacts the function setOptions of the file src/util/request-manager.js. Such manipulation leads to inefficient regular expression complexity. Local access is required to approach this attack. This vulnerability only affects products that are no longer supported by the maintainer.

Database specific
{
    "cna_assigner": "VulDB",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/9xxx/CVE-2025-9308.json",
    "cwe_ids": [
        "CWE-1333",
        "CWE-400"
    ],
    "unresolved_ranges": [
        {
            "source": "AFFECTED_FIELD",
            "extracted_events": [
                {
                    "introduced": "1.22.6"
                },
                {
                    "last_affected": "1.22.6"
                },
                {
                    "introduced": "1.22.7"
                },
                {
                    "last_affected": "1.22.7"
                },
                {
                    "introduced": "1.22.8"
                },
                {
                    "last_affected": "1.22.8"
                },
                {
                    "introduced": "1.22.9"
                },
                {
                    "last_affected": "1.22.9"
                }
            ]
        }
    ]
}
References

Affected packages

Git / github.com/yarnpkg/yarn

Affected ranges

Type
GIT
Repo
https://github.com/yarnpkg/yarn
Events
Database specific
{
    "cpe": "cpe:2.3:a:yarnpkg:yarn:*:*:*:*:*:*:*:*",
    "source": [
        "AFFECTED_FIELD",
        "CPE_RANGE"
    ],
    "extracted_events": [
        {
            "introduced": "1.22.0"
        },
        {
            "last_affected": "1.22.0"
        },
        {
            "introduced": "1.22.1"
        },
        {
            "last_affected": "1.22.1"
        },
        {
            "introduced": "1.22.2"
        },
        {
            "last_affected": "1.22.2"
        },
        {
            "introduced": "1.22.3"
        },
        {
            "last_affected": "1.22.3"
        },
        {
            "introduced": "1.22.4"
        },
        {
            "last_affected": "1.22.4"
        },
        {
            "introduced": "1.22.5"
        },
        {
            "last_affected": "1.22.5"
        },
        {
            "introduced": "1.22.10"
        },
        {
            "last_affected": "1.22.10"
        },
        {
            "introduced": "1.22.11"
        },
        {
            "last_affected": "1.22.11"
        },
        {
            "introduced": "1.22.12"
        },
        {
            "last_affected": "1.22.12"
        },
        {
            "introduced": "1.22.13"
        },
        {
            "last_affected": "1.22.13"
        },
        {
            "introduced": "1.22.14"
        },
        {
            "last_affected": "1.22.14"
        },
        {
            "introduced": "1.22.15"
        },
        {
            "last_affected": "1.22.15"
        },
        {
            "introduced": "1.22.16"
        },
        {
            "last_affected": "1.22.16"
        },
        {
            "introduced": "1.22.17"
        },
        {
            "last_affected": "1.22.17"
        },
        {
            "introduced": "1.22.18"
        },
        {
            "last_affected": "1.22.18"
        },
        {
            "introduced": "1.22.19"
        },
        {
            "last_affected": "1.22.19"
        },
        {
            "introduced": "1.22.20"
        },
        {
            "last_affected": "1.22.20"
        },
        {
            "introduced": "1.22.21"
        },
        {
            "last_affected": "1.22.21"
        },
        {
            "introduced": "1.22.22"
        },
        {
            "last_affected": "1.22.22"
        },
        {
            "introduced": "0"
        }
    ]
}

Affected versions

1.*
1.22.0
1.22.1
1.22.10
1.22.11
1.22.12
1.22.13
1.22.14
1.22.15
1.22.16
1.22.17
1.22.18
1.22.19
1.22.2
1.22.20
1.22.21
1.22.22
1.22.3
1.22.4
1.22.5
v1.*
v1.22.0
v1.22.1
v1.22.10
v1.22.11
v1.22.12
v1.22.13
v1.22.14
v1.22.15
v1.22.16
v1.22.17
v1.22.18
v1.22.19
v1.22.2
v1.22.20
v1.22.21
v1.22.22
v1.22.3
v1.22.4
v1.22.5

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-9308.json"