Yarn Regular Expression Denial-of-Service Vulnerability in Request Manager

A denial-of-service vulnerability has been identified in Yarn package manager versions through 1.22.22. The issue arises in the 'setOptions' function within 'src/util/request-manager.js', where an inefficient regular expression can be exploited. This vulnerability requires local access to reproduce and only affects unsupported versions of Yarn.

Impact

Exploitation of this vulnerability leads to a regular expression denial-of-service, causing excessive CPU usage and potentially freezing the application.

Reproduction

The vulnerability can be reproduced by embedding maliciously crafted code blocks into Markdown that is parsed by the application. This can be done by using Yarn version 1.22.22, after cloning the repository and installing the necessary dependencies. The 'yarn test' command can be used to trigger the vulnerability by testing the 'util/request-manager.js' file, which will execute the code that contains the inefficient regular expression.