CVE-2026-9496: Denial of Service (DoS) in pacote
Versions of the package pacote from 11.2.7 are vulnerable to Denial of Service (DoS) via the addGitSha function. An attacker can exploit this vulnerability by supplying a specially crafted spec.rawSpec value that triggers the function’s regex replacement and string-manipulation logic, causing excessive CPU consumption and potentially stalling or crashing the process.
AI Analysis
Technical Summary
The pacote package version 11.2.7 contains a vulnerability in the addGitSha function where a specially crafted spec.rawSpec input triggers inefficient regex and string manipulation logic. This results in excessive CPU usage, causing a Denial of Service condition by stalling or crashing the process. The vulnerability is remotely exploitable without authentication and does not require user interaction. The affected package is used as a cloud service, and the vendor manages remediation for this environment.
Potential Impact
Successful exploitation leads to Denial of Service by consuming excessive CPU resources, potentially stalling or crashing the process running pacote. This can disrupt availability of services relying on this package. There are no reports of active exploitation in the wild.
Mitigation Recommendations
The vendor manages remediation for this cloud-hosted service and typically applies patches server-side. A patch is available for this vulnerability. Users should verify with the vendor advisory that their cloud service instance has been updated to address this issue. No additional user action is required if the service is fully managed by the vendor.
CVE-2026-9496: Denial of Service (DoS) in pacote
Description
Versions of the package pacote from 11.2.7 are vulnerable to Denial of Service (DoS) via the addGitSha function. An attacker can exploit this vulnerability by supplying a specially crafted spec.rawSpec value that triggers the function’s regex replacement and string-manipulation logic, causing excessive CPU consumption and potentially stalling or crashing the process.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The pacote package version 11.2.7 contains a vulnerability in the addGitSha function where a specially crafted spec.rawSpec input triggers inefficient regex and string manipulation logic. This results in excessive CPU usage, causing a Denial of Service condition by stalling or crashing the process. The vulnerability is remotely exploitable without authentication and does not require user interaction. The affected package is used as a cloud service, and the vendor manages remediation for this environment.
Potential Impact
Successful exploitation leads to Denial of Service by consuming excessive CPU resources, potentially stalling or crashing the process running pacote. This can disrupt availability of services relying on this package. There are no reports of active exploitation in the wild.
Mitigation Recommendations
The vendor manages remediation for this cloud-hosted service and typically applies patches server-side. A patch is available for this vulnerability. Users should verify with the vendor advisory that their cloud service instance has been updated to address this issue. No additional user action is required if the service is fully managed by the vendor.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- snyk
- Date Reserved
- 2026-05-25T09:30:49.118Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
- Is Cloud Service
- true
Threat ID: 6a153cbca5ae1af1aa706add
Added to database: 5/26/2026, 6:25:00 AM
Last enriched: 5/26/2026, 6:39:53 AM
Last updated: 5/26/2026, 12:43:28 PM
Views: 9
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.