{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-9308", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2025-08-21T05:58:24.411Z", "datePublished": "2025-08-21T16:02:12.172Z", "dateUpdated": "2025-08-21T17:32:14.661Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2025-08-21T16:02:12.172Z"}, "title": "yarnpkg Yarn request-manager.js setOptions redos", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-1333", "lang": "en", "description": "Inefficient Regular Expression Complexity"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-400", "lang": "en", "description": "Resource Consumption"}]}], "affected": [{"vendor": "yarnpkg", "product": "Yarn", "versions": [{"version": "1.22.0", "status": "affected"}, {"version": "1.22.1", "status": "affected"}, {"version": "1.22.2", "status": "affected"}, {"version": "1.22.3", "status": "affected"}, {"version": "1.22.4", "status": "affected"}, {"version": "1.22.5", "status": "affected"}, {"version": "1.22.6", "status": "affected"}, {"version": "1.22.7", "status": "affected"}, {"version": "1.22.8", "status": "affected"}, {"version": "1.22.9", "status": "affected"}, {"version": "1.22.10", "status": "affected"}, {"version": "1.22.11", "status": "affected"}, {"version": "1.22.12", "status": "affected"}, {"version": "1.22.13", "status": "affected"}, {"version": "1.22.14", "status": "affected"}, {"version": "1.22.15", "status": "affected"}, {"version": "1.22.16", "status": "affected"}, {"version": "1.22.17", "status": "affected"}, {"version": "1.22.18", "status": "affected"}, {"version": "1.22.19", "status": "affected"}, {"version": "1.22.20", "status": "affected"}, {"version": "1.22.21", "status": "affected"}, {"version": "1.22.22", "status": "affected"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability has been found in yarnpkg Yarn up to 1.22.22. This impacts the function setOptions of the file src/util/request-manager.js. Such manipulation leads to inefficient regular expression complexity. Local access is required to approach this attack. This vulnerability only affects products that are no longer supported by the maintainer."}, {"lang": "de", "value": "Es wurde eine Schwachstelle in yarnpkg Yarn bis 1.22.22 entdeckt. Betroffen hiervon ist die Funktion setOptions der Datei src/util/request-manager.js. Mittels dem Manipulieren mit unbekannten Daten kann eine inefficient regular expression complexity-Schwachstelle ausgenutzt werden. Der Angriff muss auf lokaler Ebene erfolgen."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 4.8, "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 3.3, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:X/RL:X/RC:R", "baseSeverity": "LOW"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 3.3, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:X/RL:X/RC:R", "baseSeverity": "LOW"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 1.7, "vectorString": "AV:L/AC:L/Au:S/C:N/I:N/A:P/E:ND/RL:ND/RC:UR"}}], "timeline": [{"time": "2025-08-21T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2025-08-21T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2025-08-21T08:03:40.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "mmmsssttt (VulDB User)", "type": "reporter"}], "references": [{"url": "https://vuldb.com/?id.320913", "name": "VDB-320913 | yarnpkg Yarn request-manager.js setOptions redos", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.320913", "name": "VDB-320913 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.633486", "name": "Submit #633486 | yarn Yarn src/util/request-manager.js v1.22.22 Inefficient Regular Expression Complexity", "tags": ["third-party-advisory"]}, {"url": "https://github.com/yarnpkg/yarn/pull/9203", "tags": ["issue-tracking"]}], "tags": ["unsupported-when-assigned"]}, "adp": [{"references": [{"url": "https://github.com/yarnpkg/yarn/pull/9203", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-08-21T17:24:36.331263Z", "id": "CVE-2025-9308", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-21T17:32:14.661Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-9308", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-08-21T17:24:36.331263Z"}}}], "references": [{"url": "https://github.com/yarnpkg/yarn/pull/9203", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-21T17:24:43.236Z"}}], "cna": {"tags": ["unsupported-when-assigned"], "title": "yarnpkg Yarn request-manager.js setOptions redos", "credits": [{"lang": "en", "type": "reporter", "value": "mmmsssttt (VulDB User)"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 4.8, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 3.3, "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:X/RL:X/RC:R"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 3.3, "baseSeverity": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:X/RL:X/RC:R"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 1.7, "vectorString": "AV:L/AC:L/Au:S/C:N/I:N/A:P/E:ND/RL:ND/RC:UR"}}], "affected": [{"vendor": "yarnpkg", "product": "Yarn", "versions": [{"status": "affected", "version": "1.22.0"}, {"status": "affected", "version": "1.22.1"}, {"status": "affected", "version": "1.22.2"}, {"status": "affected", "version": "1.22.3"}, {"status": "affected", "version": "1.22.4"}, {"status": "affected", "version": "1.22.5"}, {"status": "affected", "version": "1.22.6"}, {"status": "affected", "version": "1.22.7"}, {"status": "affected", "version": "1.22.8"}, {"status": "affected", "version": "1.22.9"}, {"status": "affected", "version": "1.22.10"}, {"status": "affected", "version": "1.22.11"}, {"status": "affected", "version": "1.22.12"}, {"status": "affected", "version": "1.22.13"}, {"status": "affected", "version": "1.22.14"}, {"status": "affected", "version": "1.22.15"}, {"status": "affected", "version": "1.22.16"}, {"status": "affected", "version": "1.22.17"}, {"status": "affected", "version": "1.22.18"}, {"status": "affected", "version": "1.22.19"}, {"status": "affected", "version": "1.22.20"}, {"status": "affected", "version": "1.22.21"}, {"status": "affected", "version": "1.22.22"}]}], "timeline": [{"lang": "en", "time": "2025-08-21T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2025-08-21T02:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2025-08-21T08:03:40.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/?id.320913", "name": "VDB-320913 | yarnpkg Yarn request-manager.js setOptions redos", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.320913", "name": "VDB-320913 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.633486", "name": "Submit #633486 | yarn Yarn src/util/request-manager.js v1.22.22 Inefficient Regular Expression Complexity", "tags": ["third-party-advisory"]}, {"url": "https://github.com/yarnpkg/yarn/pull/9203", "tags": ["issue-tracking"]}], "descriptions": [{"lang": "en", "value": "A vulnerability has been found in yarnpkg Yarn up to 1.22.22. This impacts the function setOptions of the file src/util/request-manager.js. Such manipulation leads to inefficient regular expression complexity. Local access is required to approach this attack. This vulnerability only affects products that are no longer supported by the maintainer."}, {"lang": "de", "value": "Es wurde eine Schwachstelle in yarnpkg Yarn bis 1.22.22 entdeckt. Betroffen hiervon ist die Funktion setOptions der Datei src/util/request-manager.js. Mittels dem Manipulieren mit unbekannten Daten kann eine inefficient regular expression complexity-Schwachstelle ausgenutzt werden. Der Angriff muss auf lokaler Ebene erfolgen."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1333", "description": "Inefficient Regular Expression Complexity"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-400", "description": "Resource Consumption"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2025-08-21T16:02:12.172Z"}}}, "cveMetadata": {"cveId": "CVE-2025-9308", "state": "PUBLISHED", "dateUpdated": "2025-08-21T17:32:14.661Z", "dateReserved": "2025-08-21T05:58:24.411Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2025-08-21T16:02:12.172Z", "assignerShortName": "VulDB"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:yarnpkg:yarn:*:*:*:*:*:*:*:*", "matchCriteriaId": "E0ACE16B-A776-4707-AB1A-BD46CA1E53CA", "versionEndIncluding": "1.22.22", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [{"sourceIdentifier": "[email protected]", "tags": ["unsupported-when-assigned"]}], "descriptions": [{"lang": "en", "value": "A vulnerability has been found in yarnpkg Yarn up to 1.22.22. This impacts the function setOptions of the file src/util/request-manager.js. Such manipulation leads to inefficient regular expression complexity. Local access is required to approach this attack. This vulnerability only affects products that are no longer supported by the maintainer."}, {"lang": "es", "value": "Se ha detectado una vulnerabilidad en yarnpkg Yarn hasta la versi\u00f3n 1.22.22. Esta vulnerabilidad afecta a la funci\u00f3n setOptions del archivo src/util/request-manager.js. Esta manipulaci\u00f3n genera una complejidad ineficiente en las expresiones regulares. Se requiere acceso local para abordar este ataque. Esta vulnerabilidad solo afecta a los productos que ya no reciben soporte del fabricante."}], "id": "CVE-2025-9308", "lastModified": "2025-09-12T12:58:04.847", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 1.7, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:L/AC:L/Au:S/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 3.1, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "[email protected]", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 3.3, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 1.4, "source": "[email protected]", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "[email protected]", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "[email protected]", "type": "Secondary"}]}, "published": "2025-08-21T16:15:35.790", "references": [{"source": "[email protected]", "tags": ["Exploit", "Issue Tracking"], "url": "https://github.com/yarnpkg/yarn/pull/9203"}, {"source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"], "url": "https://vuldb.com/?ctiid.320913"}, {"source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"], "url": "https://vuldb.com/?id.320913"}, {"source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"], "url": "https://vuldb.com/?submit.633486"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Issue Tracking"], "url": "https://github.com/yarnpkg/yarn/pull/9203"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}, {"lang": "en", "value": "CWE-1333"}], "source": "[email protected]", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-1333"}], "source": "[email protected]", "type": "Primary"}]}

{"bugzilla": {"description": "yarn: yarnpkg regular expression denial of service", "id": "2390129", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2390129"}, "csaw": false, "cvss3": {"cvss3_base_score": "3.3", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "status": "draft"}, "cwe": "(CWE-1333|CWE-400)", "details": ["No description is available for this CVE."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2025-9308", "package_state": [{"cpe": "cpe:/a:redhat:migration_toolkit_virtualization:2", "fix_state": "Fix deferred", "package_name": "migration-toolkit-virtualization/mtv-console-plugin-rhel9", "product_name": "Migration Toolkit for Virtualization"}, {"cpe": "cpe:/a:redhat:migration_toolkit_virtualization:2", "fix_state": "Fix deferred", "package_name": "mtv-candidate/mtv-console-plugin-rhel9", "product_name": "Migration Toolkit for Virtualization"}, {"cpe": "cpe:/a:redhat:service_mesh:2", "fix_state": "Fix deferred", "package_name": "openshift-service-mesh/kiali-ossmc-rhel8", "product_name": "OpenShift Service Mesh 2"}, {"cpe": "cpe:/a:redhat:service_mesh:2", "fix_state": "Fix deferred", "package_name": "openshift-service-mesh/kiali-rhel8", "product_name": "OpenShift Service Mesh 2"}, {"cpe": "cpe:/a:redhat:service_mesh:3", "fix_state": "Fix deferred", "package_name": "openshift-service-mesh/kiali-operator-bundle", "product_name": "OpenShift Service Mesh 3"}, {"cpe": "cpe:/a:redhat:service_mesh:3", "fix_state": "Fix deferred", "package_name": "openshift-service-mesh/kiali-ossmc-rhel9", "product_name": "OpenShift Service Mesh 3"}, {"cpe": "cpe:/a:redhat:service_mesh:3", "fix_state": "Fix deferred", "package_name": "openshift-service-mesh/kiali-rhel9", "product_name": "OpenShift Service Mesh 3"}, {"cpe": "cpe:/a:redhat:service_mesh:3", "fix_state": "Fix deferred", "package_name": "openshift-service-mesh/kiali-rhel9-operator", "product_name": "OpenShift Service Mesh 3"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "grafana", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/a:redhat:openshift_gitops:1", "fix_state": "Fix deferred", "package_name": "openshift-gitops-1/argocd-agent-rhel8", "product_name": "Red Hat OpenShift GitOps"}, {"cpe": "cpe:/a:redhat:openshift_gitops:1", "fix_state": "Fix deferred", "package_name": "openshift-gitops-1/argocd-extensions-rhel8", "product_name": "Red Hat OpenShift GitOps"}, {"cpe": "cpe:/a:redhat:openshift_gitops:1", "fix_state": "Fix deferred", "package_name": "openshift-gitops-1/argocd-rhel8", "product_name": "Red Hat OpenShift GitOps"}, {"cpe": "cpe:/a:redhat:openshift_gitops:1", "fix_state": "Fix deferred", "package_name": "openshift-gitops-1/argocd-rhel9", "product_name": "Red Hat OpenShift GitOps"}, {"cpe": "cpe:/a:redhat:openshift_gitops:1", "fix_state": "Fix deferred", "package_name": "openshift-gitops-1/argo-rollouts-rhel8", "product_name": "Red Hat OpenShift GitOps"}, {"cpe": "cpe:/a:redhat:openshift_gitops:1", "fix_state": "Fix deferred", "package_name": "openshift-gitops-1/console-plugin-rhel8", "product_name": "Red Hat OpenShift GitOps"}, {"cpe": "cpe:/a:redhat:openshift_gitops:1", "fix_state": "Fix deferred", "package_name": "openshift-gitops-1/dex-rhel8", "product_name": "Red Hat OpenShift GitOps"}, {"cpe": "cpe:/a:redhat:openshift_gitops:1", "fix_state": "Fix deferred", "package_name": "openshift-gitops-1/gitops-operator-bundle", "product_name": "Red Hat OpenShift GitOps"}, {"cpe": "cpe:/a:redhat:openshift_gitops:1", "fix_state": "Fix deferred", "package_name": "openshift-gitops-1/gitops-rhel8", "product_name": "Red Hat OpenShift GitOps"}, {"cpe": "cpe:/a:redhat:openshift_gitops:1", "fix_state": "Fix deferred", "package_name": "openshift-gitops-1/gitops-rhel8-operator", "product_name": "Red Hat OpenShift GitOps"}, {"cpe": "cpe:/a:redhat:openshift_gitops:1", "fix_state": "Fix deferred", "package_name": "openshift-gitops-1/must-gather-rhel8", "product_name": "Red Hat OpenShift GitOps"}], "public_date": "2025-08-21T16:02:12Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-9308\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-9308\nhttps://github.com/yarnpkg/yarn/pull/9203\nhttps://vuldb.com/?ctiid.320913\nhttps://vuldb.com/?id.320913\nhttps://vuldb.com/?submit.633486"], "threat_severity": "Low"}