Home

Description

Versions of the package pacote from 11.2.7 and before 21.5.1 are vulnerable to Denial of Service (DoS) via the addGitSha function. An attacker can exploit this vulnerability by supplying a specially crafted spec.rawSpec value that triggers the function’s regex replacement and string-manipulation logic, causing excessive CPU consumption and potentially stalling or crashing the process.

PUBLISHED Reserved 2026-05-25 | Published 2026-05-26 | Updated 2026-07-07 | Assigner snyk




HIGH: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P
HIGH: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P

Problem types

Denial of Service (DoS)

Product status

11.2.7 (semver) before 21.5.1
affected

11.2.7 (semver) before *
affected

Credits

Rongchen Li

References

security.snyk.io/vuln/SNYK-JS-PACOTE-8225084 exploit

security.snyk.io/vuln/SNYK-JS-PACOTE-8225084

security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-16874025

github.com/...d0c4d464b5c/lib/util/add-git-sha.js#L2C1-L13C2

github.com/...ommit/ce804fb1647fe1699b2f87efd01ea9f4efed8508

cve.org (CVE-2026-9496)

nvd.nist.gov (CVE-2026-9496)

Download JSON