Impact
The vulnerability allows a denial of service through the addGitSha function, where a specially crafted spec.rawSpec input triggers regex substitutions stalling or crashing the process.
Affected Systems
The package pacote, used within Node.js ecosystems and referenced under org.webjars.npm, is affected. All currently released versions that have not yet incorporated the fix are vulnerable. Systems that rely on pacote to resolve or fetch Git dependencies could be impacted if they use an unpatched version.
Risk and Exploitability
The CVSS score of 8.7 qualifies this vulnerability as high severity, while the EPSS score remains below 1 % and it is not listed in the CISA KEV catalog, indicating no widespread known exploits yet. An attacker can trigger the denial of service string that is processed by addGitSha. Based on the description, it is inferred that the likely attack vector is local or remote when the application or build step processes untrusted dependency specifications.
OpenCVE Enrichment