Description
Versions of the package pacote from 11.2.7 and before 21.5.1 are vulnerable to Denial of Service (DoS) via the addGitSha function. An attacker can exploit this vulnerability by supplying a specially crafted spec.rawSpec value that triggers the function’s regex replacement and string-manipulation logic, causing excessive CPU consumption and potentially stalling or crashing the process.
Published: 2026-05-26
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows a denial of service through the addGitSha function, where a specially crafted spec.rawSpec input triggers regex substitutions stalling or crashing the process.

Affected Systems

The package pacote, used within Node.js ecosystems and referenced under org.webjars.npm, is affected. All currently released versions that have not yet incorporated the fix are vulnerable. Systems that rely on pacote to resolve or fetch Git dependencies could be impacted if they use an unpatched version.

Risk and Exploitability

The CVSS score of 8.7 qualifies this vulnerability as high severity, while the EPSS score remains below 1 % and it is not listed in the CISA KEV catalog, indicating no widespread known exploits yet. An attacker can trigger the denial of service string that is processed by addGitSha. Based on the description, it is inferred that the likely attack vector is local or remote when the application or build step processes untrusted dependency specifications.

Generated by OpenCVE AI on June 27, 2026 at 16:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade pacote to the latest release that includes the fix.
  • If an update is not immediately possible, configure your environment so that untrusted dependency specifications are not processed by addGitSha, or sanitize spec.rawSpec input to prevent malicious payloads.
  • Audit any custom code that interacts with pacote’s addGitSha function, ensuring input validation against allowed patterns to prevent regex‑based exhaustion.

Generated by OpenCVE AI on June 27, 2026 at 16:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 27 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Title Denial of Service via addGitSha in pacote due to malicious spec.rawSpec input

Sat, 27 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Description Versions of the package pacote from 11.2.7 are vulnerable to Denial of Service (DoS) via the addGitSha function. An attacker can exploit this vulnerability by supplying a specially crafted spec.rawSpec value that triggers the function’s regex replacement and string-manipulation logic, causing excessive CPU consumption and potentially stalling or crashing the process. Versions of the package pacote from 11.2.7 and before 21.5.1 are vulnerable to Denial of Service (DoS) via the addGitSha function. An attacker can exploit this vulnerability by supplying a specially crafted spec.rawSpec value that triggers the function’s regex replacement and string-manipulation logic, causing excessive CPU consumption and potentially stalling or crashing the process.
References

Wed, 27 May 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Npmjs
Npmjs pacote
Vendors & Products Npmjs
Npmjs pacote

Tue, 26 May 2026 16:15:00 +0000

Type Values Removed Values Added
Title Denial of Service via RegExp Replacement in pacote addGitSha Function

Tue, 26 May 2026 14:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-400
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 26 May 2026 07:45:00 +0000

Type Values Removed Values Added
Title Denial of Service via RegExp Replacement in pacote addGitSha Function

Tue, 26 May 2026 06:30:00 +0000

Type Values Removed Values Added
Description Versions of the package pacote from 11.2.7 are vulnerable to Denial of Service (DoS) via the addGitSha function. An attacker can exploit this vulnerability by supplying a specially crafted spec.rawSpec value that triggers the function’s regex replacement and string-manipulation logic, causing excessive CPU consumption and potentially stalling or crashing the process.
Weaknesses CWE-1333
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P'}


cve-icon MITRE

Status: PUBLISHED

Assigner: snyk

Published:

Updated: 2026-06-27T15:25:16.972Z

Reserved: 2026-05-25T09:30:49.118Z

Link: CVE-2026-9496

cve-icon Vulnrichment

Updated: 2026-05-26T12:34:11.254Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-26T07:16:19.410

Modified: 2026-06-17T11:05:22.400

Link: CVE-2026-9496

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-27T16:30:17Z

Weaknesses
  • CWE-1333

    Inefficient Regular Expression Complexity

  • CWE-400

    Uncontrolled Resource Consumption