CVE-2025-8262 Overview
CVE-2025-8262 is a regular expression denial of service (ReDoS) vulnerability in the Yarn package manager, affecting versions up to and including 1.22.22. The flaw resides in the explodeHostedGitFragment function within src/resolvers/exotics/hosted-git-resolver.js. Attackers can supply crafted input strings that trigger inefficient regular expression backtracking, leading to excessive CPU consumption. The vulnerability is classified under [CWE-400] (Uncontrolled Resource Consumption) and [CWE-1333] (Inefficient Regular Expression Complexity). The issue is remotely exploitable through any workflow that parses untrusted Git fragment strings via Yarn.
Critical Impact
Remote attackers can degrade availability of Yarn-based build and dependency resolution processes by submitting malicious Git fragment inputs that cause catastrophic regex backtracking.
Affected Products
- Yarnpkg Yarn versions up to and including 1.22.22
- Build systems and CI/CD pipelines relying on the classic Yarn 1.x branch
- Node.js projects using Yarn for dependency resolution against hosted Git sources
Discovery Timeline
- 2025-07-28 - CVE-2025-8262 published to NVD
- 2025-07-31 - Last updated in NVD database
- Patch commit - Fix applied in commit 97731871e674bf93bcbf29e9d3258da8685f3076 via Yarn Pull Request #9199
Technical Details for CVE-2025-8262
Vulnerability Analysis
The vulnerability is an algorithmic complexity flaw in Yarn's hosted Git resolver. The explodeHostedGitFragment function parses Git source fragments used to specify dependencies hosted on platforms such as GitHub, GitLab, and Bitbucket. The regular expression used to decompose these fragments contains overlapping quantifiers that produce exponential backtracking when matched against carefully crafted inputs. Processing such an input consumes CPU resources disproportionate to the input size, stalling the Yarn process. While the vulnerability does not enable code execution or data disclosure, it disrupts dependency installation workflows and can halt automated build pipelines.
Root Cause
The regex pattern in src/resolvers/exotics/hosted-git-resolver.js lacks bounded quantifiers and possessive matching. When evaluating malformed or adversarial Git fragment strings, the regex engine explores an exponential number of match paths before failing. This pattern of inefficient regular expression complexity is documented under [CWE-1333]. The patch in commit 97731871e674bf93bcbf29e9d3258da8685f3076 refines the regex structure to eliminate the catastrophic backtracking condition.
Attack Vector
The attack vector is network-accessible. An attacker controls a package.json dependency entry, a Git URL, or any input flowing into explodeHostedGitFragment. This can occur through pull requests adding malicious dependency specifications, compromised registries, or supply-chain interference. Once Yarn parses the crafted fragment during install or resolution, the process consumes CPU and stalls indefinitely. The vulnerability requires low privileges and no user interaction beyond initiating a normal Yarn operation. See the GitHub patch commit for the corrected parsing logic.
Detection Methods for CVE-2025-8262
Indicators of Compromise
- Yarn install or resolution processes hanging or consuming sustained 100% CPU on a single core
- Long-running node processes invoked by yarn that fail to terminate or time out in CI runners
- package.json entries containing unusually long or malformed Git fragment strings in dependencies or devDependencies
- Build pipeline timeouts during dependency resolution against hosted Git sources
Detection Strategies
- Inventory all build agents and developer workstations running Yarn 1.22.22 or earlier using software composition tooling
- Scan repositories for package.json files containing suspicious hosted Git fragments with unbounded or pathological character sequences
- Monitor CI/CD job durations for anomalous spikes in Yarn install steps
- Apply static analysis to flag dependency entries referencing untrusted hosted Git URLs
Monitoring Recommendations
- Set timeouts on Yarn install steps in CI pipelines to fail fast on resource exhaustion
- Track per-process CPU and wall-clock time for yarn invocations and alert on outliers
- Forward build agent telemetry to a centralized logging platform for correlation across pipelines
- Audit pull requests that modify dependency manifests, particularly those introducing Git-hosted sources
How to Mitigate CVE-2025-8262
Immediate Actions Required
- Upgrade Yarn to a version that includes commit 97731871e674bf93bcbf29e9d3258da8685f3076 or migrate to Yarn Berry (2.x and later)
- Audit package.json files across repositories for untrusted hosted Git dependency entries
- Enforce strict timeouts on dependency installation steps in CI/CD systems
- Restrict which contributors can modify dependency manifests through branch protection and code review
Patch Information
The maintainers committed the fix to the Yarn classic branch in commit 97731871e674bf93bcbf29e9d3258da8685f3076, merged through Yarn Pull Request #9199. The change rewrites the regular expression in explodeHostedGitFragment to eliminate the backtracking condition. Apply the patched release as soon as it is available from the Yarn distribution channel in use. Additional analysis is documented at VulDB #317850.
Workarounds
- Validate and sanitize all dependency entries before invoking Yarn, rejecting Git fragments that exceed reasonable length bounds
- Run Yarn inside containers with CPU and memory limits to contain resource exhaustion
- Mirror dependencies through a trusted internal registry rather than resolving directly from external hosted Git sources
- Pin dependencies to known-good versions and disallow ad-hoc Git URL dependencies in production manifests
# Configuration example: upgrade Yarn and enforce CI timeouts
npm install -g yarn@latest
yarn --version
# Example CI step with a hard timeout to fail fast on ReDoS
timeout 300 yarn install --frozen-lockfile
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

