Home

Description

Versions of the package pacote from 11.2.7 are vulnerable to Denial of Service (DoS) via the addGitSha function. An attacker can exploit this vulnerability by supplying a specially crafted spec.rawSpec value that triggers the function’s regex replacement and string-manipulation logic, causing excessive CPU consumption and potentially stalling or crashing the process.

PUBLISHED Reserved 2026-05-25 | Published 2026-05-26 | Updated 2026-05-26 | Assigner snyk




HIGH: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P
HIGH: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P

Problem types

Denial of Service (DoS)

Product status

11.2.7 (semver) before *
affected

11.2.7 (semver) before *
affected

Credits

Rongchen Li

References

security.snyk.io/vuln/SNYK-JS-PACOTE-8225084

security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-16874025

github.com/...d0c4d464b5c/lib/util/add-git-sha.js#L2C1-L13C2

cve.org (CVE-2026-9496)

nvd.nist.gov (CVE-2026-9496)

Download JSON