yarn icon indicating copy to clipboard operation
yarn copied to clipboard
verified publisher icon yarnpkg

Request manager re dos

Open mmmsssttt404 opened this issue 4 months ago • 0 comments

Steps to reproduce Hello,

I am writing to report a potential Regular Expression Denial of Service (ReDoS) vulnerability or Inefficient Regular Expression in the project. When using specially crafted input strings in the context, it may lead to extremely high CPU usage, application freezing, or denial of service attacks.

Location of Issue:

The vulnerability is related to a regular expression used in the following validation file, which may result in significantly prolonged execution times under certain conditions.

https://github.com/yarnpkg/yarn/blob/7cafa512a777048ce0b666080a24e80aae3d66a9/src/util/request-manager.js#L187

1.git clone https://github.com/mmmsssttt404/yarn.git
2.yarn install
3.yarn test __tests__/util/request-manager.js

use time: {008E24AF-9CEE-42F3-A5BE-FB2372FC17E1} f307ba7bf4e492b32c4405618d60e57

Proposed Solution: Change the regular expression to https://github.com/mmmsssttt404/yarn/blob/f54fa0f0e0cdec16583b572dec679c9fbf9073a4/src/util/request-manager.js#L187 {F4163767-9749-4D94-B2BF-E8734A2D3424}

{D50FCAB5-A4B5-4C12-8219-5D7B31542E0F}

Thank you for your attention to this matter. Your evaluation and response to this potential security concern would be greatly appreciated.

Best regards,

Search keywords: ReDoS

mmmsssttt404 avatar Aug 13 '25 03:08 mmmsssttt404