CVE-2026-9496
Awaiting Analysis Awaiting Analysis - Queue
Denial of Service in pacote via addGitSha Function

Publication date: 2026-05-26

Last updated on: 2026-05-26

Assigner: Snyk

Description
Versions of the package pacote from 11.2.7 are vulnerable to Denial of Service (DoS) via the addGitSha function. An attacker can exploit this vulnerability by supplying a specially crafted spec.rawSpec value that triggers the function’s regex replacement and string-manipulation logic, causing excessive CPU consumption and potentially stalling or crashing the process.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-26
Last Modified
2026-05-26
Generated
2026-06-15
AI Q&A
2026-05-26
EPSS Evaluated
2026-06-14
NVD
CVE-2026-9496
EUVD
EUVD-2026-31793
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
CWE-1333 The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

This vulnerability is a Denial of Service (DoS) issue that impacts system availability by causing excessive CPU consumption and potentially stalling or crashing the process.

It does not affect confidentiality or integrity of data.

Since the vulnerability does not compromise confidentiality or integrity, it does not directly impact compliance with standards and regulations such as GDPR or HIPAA, which primarily focus on protecting personal data privacy and integrity.

Executive Summary

CVE-2026-9496 is a Denial of Service (DoS) vulnerability affecting the pacote package, specifically versions 11.2.7 and above.

The vulnerability exists in the addGitSha function, where an attacker can supply a specially crafted spec.rawSpec value that triggers excessive regex replacement and string-manipulation operations.

This causes excessive CPU consumption, which can stall or crash the process, impacting the availability of the system.

The exploit requires no special privileges, user interaction, or conditions, and can be performed over the network.

Impact Analysis

This vulnerability can lead to Denial of Service by causing excessive CPU usage through the addGitSha function when processing a malicious spec.rawSpec value.

As a result, the affected process may stall or crash, leading to unavailability of the service or application relying on the pacote package.

There is no impact on confidentiality or integrity, but the availability of the system is compromised.

Detection Guidance

There is no specific detection method or commands provided in the available resources for identifying this vulnerability on your network or system.

Mitigation Strategies

Since there is currently no fixed version available for the pacote package, immediate mitigation steps include monitoring and limiting the use of the vulnerable addGitSha function, restricting untrusted input that could exploit the spec.rawSpec value, and applying general DoS protection measures such as rate limiting and resource usage monitoring.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-9496. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart