CVE-2025-9308: 
JavaScript vulnerability analysis and mitigation

A vulnerability has been discovered in yarnpkg Yarn versions up to 1.22.22, identified as CVE-2025-9308. The vulnerability affects the setOptions function in the src/util/request-manager.js file and is related to inefficient regular expression complexity. This security issue only impacts products that are no longer supported by the maintainer and requires local access to exploit (VulDB).

The vulnerability is classified as a Regular Expression Denial of Service (ReDoS) issue, categorized under CWE-1333 (Inefficient Regular Expression Complexity) and CWE-400 (Uncontrolled Resource Consumption). It has received a CVSS v4.0 base score of 4.8 (Medium) with vector CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N, and a CVSS v3.1 base score of 3.3 (Low) with vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L (VulDB, NVD).

The vulnerability can lead to extremely high CPU usage, application freezing, or denial of service when processing specially crafted input strings. The impact primarily affects the availability of the system, while confidentiality and integrity remain uncompromised (GitHub PR, VulDB).

Currently, there are no known mitigation strategies documented for this vulnerability. Since the affected versions are no longer supported by the maintainer, it is recommended to replace the affected product with an alternative solution (VulDB).