A vulnerability has been found in yarnpkg Yarn up to 1.22.22. This impacts the function setOptions of the file src/util/request-manager.js. Such manipulation leads to inefficient regular expression complexity. Local access is required to approach this attack. This vulnerability only affects products that are no longer supported by the maintainer.
{
"cna_assigner": "VulDB",
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/9xxx/CVE-2025-9308.json",
"cwe_ids": [
"CWE-1333",
"CWE-400"
],
"unresolved_ranges": [
{
"source": "AFFECTED_FIELD",
"extracted_events": [
{
"introduced": "1.22.6"
},
{
"last_affected": "1.22.6"
},
{
"introduced": "1.22.7"
},
{
"last_affected": "1.22.7"
},
{
"introduced": "1.22.8"
},
{
"last_affected": "1.22.8"
},
{
"introduced": "1.22.9"
},
{
"last_affected": "1.22.9"
}
]
}
]
}{
"cpe": "cpe:2.3:a:yarnpkg:yarn:*:*:*:*:*:*:*:*",
"source": [
"AFFECTED_FIELD",
"CPE_RANGE"
],
"extracted_events": [
{
"introduced": "1.22.0"
},
{
"last_affected": "1.22.0"
},
{
"introduced": "1.22.1"
},
{
"last_affected": "1.22.1"
},
{
"introduced": "1.22.2"
},
{
"last_affected": "1.22.2"
},
{
"introduced": "1.22.3"
},
{
"last_affected": "1.22.3"
},
{
"introduced": "1.22.4"
},
{
"last_affected": "1.22.4"
},
{
"introduced": "1.22.5"
},
{
"last_affected": "1.22.5"
},
{
"introduced": "1.22.10"
},
{
"last_affected": "1.22.10"
},
{
"introduced": "1.22.11"
},
{
"last_affected": "1.22.11"
},
{
"introduced": "1.22.12"
},
{
"last_affected": "1.22.12"
},
{
"introduced": "1.22.13"
},
{
"last_affected": "1.22.13"
},
{
"introduced": "1.22.14"
},
{
"last_affected": "1.22.14"
},
{
"introduced": "1.22.15"
},
{
"last_affected": "1.22.15"
},
{
"introduced": "1.22.16"
},
{
"last_affected": "1.22.16"
},
{
"introduced": "1.22.17"
},
{
"last_affected": "1.22.17"
},
{
"introduced": "1.22.18"
},
{
"last_affected": "1.22.18"
},
{
"introduced": "1.22.19"
},
{
"last_affected": "1.22.19"
},
{
"introduced": "1.22.20"
},
{
"last_affected": "1.22.20"
},
{
"introduced": "1.22.21"
},
{
"last_affected": "1.22.21"
},
{
"introduced": "1.22.22"
},
{
"last_affected": "1.22.22"
},
{
"introduced": "0"
}
]
}