fix:Potential ReDoS Vulnerability or Inefficient Regular Expression in Project: Need for Assessment and Mitigation

[mmmsssttt404]

Steps to reproduce
Hello,

I am writing to report a potential Regular Expression Denial of Service (ReDoS) vulnerability or Inefficient Regular Expression in the project. When using specially crafted input strings in the context, it may lead to extremely high CPU usage, application freezing, or denial of service attacks.

Location of Issue:

The vulnerability is related to a regular expression used in the following validation file, which may result in significantly prolonged execution times under certain conditions.

yarn/src/resolvers/exotics/hosted-git-resolver.js

Lines 32 to 36 in 7cafa51

	const parts = fragment
	.replace(/(.*?)#.*/, '$1') // Strip hash
	.replace(/.*:(.*)/, '$1') // Strip prefixed protocols
	.replace(/.git$/, '') // Strip the .git suffix
	.split('/');

1.git clone https://github.com/mmmsssttt404/yarn.git
2.yarn install
3.change test file
4.yarn test tests/resolvers/exotics/hosted-git-resolver.js

use time: 使用时间：

Proposed Solution:
Change the regular expression to
https://github.com/mmmsssttt404/yarn/blob/97731871e674bf93bcbf29e9d3258da8685f3076/src/resolvers/exotics/hosted-git-resolver.js#L32-L37

Thank you for your attention to this matter. Your evaluation and response to this potential security concern would be greatly appreciated.

Best regards,

Search keywords: ReDoS

[jonathandeclan]

as this fix is to address vulnerability here in https://nvd.nist.gov/vuln/detail/CVE-2025-8262 , will this be merged soon?

[MikeMcC399]

@jonathandeclan

as this fix is to address vulnerability here in https://nvd.nist.gov/vuln/detail/CVE-2025-8262 , will this be merged soon?

Probably not ... see the notice at the top level of the repo:

• There hasn't been any merge to the default branch since May 2024.

• The CI workflow is unmaintained and failing. See CircleCI nightly job is broken #9069