Skip to content

yarn-1.22.22.tgz: 2 vulnerabilities (highest severity is: 7.5) #11

New issue
New issue
Open
Open
yarn-1.22.22.tgz: 2 vulnerabilities (highest severity is: 7.5)#11
Labels
Mend: dependency security vulnerabilitySecurity vulnerability detected by Mend
@ibm-mend-app

Description

@ibm-mend-app
ibm-mend-app
bot
opened on Sep 18, 2025
Vulnerable Library - yarn-1.22.22.tgz

Library home page: https://registry.npmjs.org/yarn/-/yarn-1.22.22.tgz

Path to dependency file: /js/package.json

Path to vulnerable library: /js/node_modules/yarn/package.json

Found in HEAD commit: 61ee66def3d15dab0696e2c81e10ac128829f699

Vulnerabilities

Vulnerability Severity CVSS Dependency Type Fixed in (yarn version) Remediation Possible**
CVE-2025-8262 High 7.5 yarn-1.22.22.tgz Direct N/A
CVE-2025-9308 Low 3.3 yarn-1.22.22.tgz Direct N/A

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2025-8262

Vulnerable Library - yarn-1.22.22.tgz

Library home page: https://registry.npmjs.org/yarn/-/yarn-1.22.22.tgz

Path to dependency file: /js/package.json

Path to vulnerable library: /js/node_modules/yarn/package.json

Dependency Hierarchy:

  • yarn-1.22.22.tgz (Vulnerable Library)

Found in HEAD commit: 61ee66def3d15dab0696e2c81e10ac128829f699

Found in base branch: main

Vulnerability Details

A vulnerability was found in yarnpkg Yarn up to 1.22.22. It has been classified as problematic. Affected is the function explodeHostedGitFragment of the file src/resolvers/exotics/hosted-git-resolver.js. The manipulation leads to inefficient regular expression complexity. It is possible to launch the attack remotely. The patch is identified as 97731871e674bf93bcbf29e9d3258da8685f3076. It is recommended to apply a patch to fix this issue.

Publish Date: 2025-07-28

URL: CVE-2025-8262

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

CVE-2025-9308

Vulnerable Library - yarn-1.22.22.tgz

Library home page: https://registry.npmjs.org/yarn/-/yarn-1.22.22.tgz

Path to dependency file: /js/package.json

Path to vulnerable library: /js/node_modules/yarn/package.json

Dependency Hierarchy:

  • yarn-1.22.22.tgz (Vulnerable Library)

Found in HEAD commit: 61ee66def3d15dab0696e2c81e10ac128829f699

Found in base branch: main

Vulnerability Details

A vulnerability has been found in yarnpkg Yarn up to 1.22.22. This impacts the function setOptions of the file src/util/request-manager.js. Such manipulation leads to inefficient regular expression complexity. Local access is required to approach this attack. This vulnerability only affects products that are no longer supported by the maintainer.

Publish Date: 2025-08-21

URL: CVE-2025-9308

CVSS 3 Score Details (3.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Mend: dependency security vulnerabilitySecurity vulnerability detected by Mend

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions