Description
Versions of the package pacote from 11.2.7 are vulnerable to Denial of Service (DoS) via the addGitSha function. An attacker can exploit this vulnerability by supplying a specially crafted spec.rawSpec value that triggers the function’s regex replacement and string-manipulation logic, causing excessive CPU consumption and potentially stalling or crashing the process.
Published: 2026-05-26
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Versions of the package pacote from 11.2.7 have a flaw in the addGitSha helper that processes a supplied spec.rawSpec value. The function performs a regex replacement and subsequent string manipulation that, when fed a specially crafted input, can trigger an excessive loop and consume large amounts of CPU time. The effect is a denial of service: the npm or Node.js process may stall or crash, disrupting software installation or deployment.

Affected Systems

The affected product is the pacote library used within Node.js ecosystems, including the npm package “pacote” and its reference under org.webjars.npm. Vulnerable releases start at version 11.2.7 and continue to the most recent versions unless patched. Any system that relies on pacote to resolve or fetch Git dependencies is at risk if the version being used is within the affected range.

Risk and Exploitability

The CVSS score of 8.7 qualifies it as high severity, yet the EPSS score is unavailable and it is not listed in the CISA KEV catalog, suggesting no widely known exploits yet. An attacker can trigger the denial of service by supplying a malicious spec.rawSpec string that is then processed by addGitSha. The attack vector is likely local or remote when the application or build step processes untrusted dependency specifications.

Generated by OpenCVE AI on May 26, 2026 at 07:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update pacote to a version that includes the fix, such as the latest release after 11.2.7
  • If an update is not immediately possible, adjust your dependency resolution to avoid using addGitSha, or pre‑sanitize spec.rawSpec inputs to eliminate malicious payloads
  • Review and audit any custom code that interfaces with pacote’s addGitSha function, ensuring that inputs are validated against allowed patterns to prevent regex‑based exhaustion

Generated by OpenCVE AI on May 26, 2026 at 07:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 26 May 2026 07:45:00 +0000

Type Values Removed Values Added
Title Denial of Service via RegExp Replacement in pacote addGitSha Function

Tue, 26 May 2026 06:30:00 +0000

Type Values Removed Values Added
Description Versions of the package pacote from 11.2.7 are vulnerable to Denial of Service (DoS) via the addGitSha function. An attacker can exploit this vulnerability by supplying a specially crafted spec.rawSpec value that triggers the function’s regex replacement and string-manipulation logic, causing excessive CPU consumption and potentially stalling or crashing the process.
Weaknesses CWE-1333
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: snyk

Published:

Updated: 2026-05-26T05:00:07.813Z

Reserved: 2026-05-25T09:30:49.118Z

Link: CVE-2026-9496

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-26T07:30:36Z

Weaknesses