DEBIAN-CVE-2025-9308

See a problem?
Please try reporting it to the source first.

Source

https://security-tracker.debian.org/tracker/CVE-2025-9308

Import Source

https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2025-9308.json

JSON Data

https://api.osv.dev/v1/vulns/DEBIAN-CVE-2025-9308

Upstream

CVE-2025-9308

Published

2025-08-21T16:15:35.790Z

Modified

2026-03-17T02:51:39.844015Z

Severity

5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

[none]

Details

A vulnerability has been found in yarnpkg Yarn up to 1.22.22. This impacts the function setOptions of the file src/util/request-manager.js. Such manipulation leads to inefficient regular expression complexity. Local access is required to approach this attack. This vulnerability only affects products that are no longer supported by the maintainer.

References

https://security-tracker.debian.org/tracker/CVE-2025-9308

Affected packages

Debian:11 / node-yarnpkg

Package

Name: node-yarnpkg
Purl: pkg:deb/debian/node-yarnpkg?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.22.10+~cs22.25.14-3

1.22.10+~cs22.25.14-4

1.22.10+~cs22.25.14-5

1.22.10+~cs22.25.14-6

1.22.10+~cs22.25.14-8

1.22.10+~cs22.25.14-9

1.22.19+~cs24.27.18-1

1.22.19+~cs24.27.18-2

1.22.19+~cs24.27.18-3

1.22.19+~cs24.27.18-4

4.*

4.0.0-rc.53+dfsg-1

4.0.1+dfsg-1

4.0.1+dfsg-2

4.0.2+dfsg-1

4.0.2+dfsg-2

4.0.2+dfsg-3

4.1.0+dfsg-1

4.1.0+dfsg-3

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2025-9308.json"

Debian:12 / node-yarnpkg

Package

Name: node-yarnpkg
Purl: pkg:deb/debian/node-yarnpkg?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.22.19+~cs24.27.18-2

1.22.19+~cs24.27.18-2+deb12u1

1.22.19+~cs24.27.18-3

1.22.19+~cs24.27.18-4

4.*

4.0.0-rc.53+dfsg-1

4.0.1+dfsg-1

4.0.1+dfsg-2

4.0.2+dfsg-1

4.0.2+dfsg-2

4.0.2+dfsg-3

4.1.0+dfsg-1

4.1.0+dfsg-3

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2025-9308.json"

Debian:13 / node-yarnpkg

Package

Name: node-yarnpkg
Purl: pkg:deb/debian/node-yarnpkg?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.0.2+dfsg-2

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2025-9308.json"

Debian:14 / node-yarnpkg

Package

Name: node-yarnpkg
Purl: pkg:deb/debian/node-yarnpkg?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.0.2+dfsg-2

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2025-9308.json"