CVE-2026-9496
BaseFortify
Publication date: 2026-05-26
Last updated on: 2026-05-26
Assigner: Snyk
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-400 | The product does not properly control the allocation and maintenance of a limited resource. |
| CWE-1333 | The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability is a Denial of Service (DoS) issue that impacts system availability by causing excessive CPU consumption and potentially stalling or crashing the process.
It does not affect confidentiality or integrity of data.
Since the vulnerability does not compromise confidentiality or integrity, it does not directly impact compliance with standards and regulations such as GDPR or HIPAA, which primarily focus on protecting personal data privacy and integrity.
Can you explain this vulnerability to me?
CVE-2026-9496 is a Denial of Service (DoS) vulnerability affecting the pacote package, specifically versions 11.2.7 and above.
The vulnerability exists in the addGitSha function, where an attacker can supply a specially crafted spec.rawSpec value that triggers excessive regex replacement and string-manipulation operations.
This causes excessive CPU consumption, which can stall or crash the process, impacting the availability of the system.
The exploit requires no special privileges, user interaction, or conditions, and can be performed over the network.
How can this vulnerability impact me? :
This vulnerability can lead to Denial of Service by causing excessive CPU usage through the addGitSha function when processing a malicious spec.rawSpec value.
As a result, the affected process may stall or crash, leading to unavailability of the service or application relying on the pacote package.
There is no impact on confidentiality or integrity, but the availability of the system is compromised.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
There is no specific detection method or commands provided in the available resources for identifying this vulnerability on your network or system.
What immediate steps should I take to mitigate this vulnerability?
Since there is currently no fixed version available for the pacote package, immediate mitigation steps include monitoring and limiting the use of the vulnerable addGitSha function, restricting untrusted input that could exploit the spec.rawSpec value, and applying general DoS protection measures such as rate limiting and resource usage monitoring.