Skip to main content

pacote EUVDEUVD-2026-31793

| CVE-2026-9496 HIGH
Inefficient Regular Expression Complexity (ReDoS) (CWE-1333)
2026-05-26 snyk GHSA-w4pp-8pjf-rmxw
7.7
CVSS 4.0 · Vendor: snyk
Share

Severity by source

Vendor (snyk) PRIMARY
7.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from Vendor (snyk).

CVSS VectorVendor: snyk

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
Jun 08, 2026 - 10:27 vuln.today
CVSS changed
May 26, 2026 - 13:37 NVD
7.5 (HIGH) 7.7 (HIGH)

DescriptionCVE.org

Versions of the package pacote from 11.2.7 are vulnerable to Denial of Service (DoS) via the addGitSha function. An attacker can exploit this vulnerability by supplying a specially crafted spec.rawSpec value that triggers the function’s regex replacement and string-manipulation logic, causing excessive CPU consumption and potentially stalling or crashing the process.

AnalysisAI

Denial of service in npm's pacote package (versions 11.2.7 and later) allows remote unauthenticated attackers to exhaust CPU by submitting a crafted spec.rawSpec value to the addGitSha function, where vulnerable regex and string-manipulation logic exhibits catastrophic backtracking. CVSS 4.0 scores this 7.7 (high availability impact, no integrity/confidentiality impact) and SSVC labels exploitation as POC with automatable=yes, though EPSS remains low at 0.04% (11th percentile). No active exploitation has been reported and no public exploit identified at time of analysis, but the bug is trivially triggerable wherever pacote parses untrusted package specs.

Technical ContextAI

pacote is the package-fetching library that underpins the npm CLI and many JavaScript tooling ecosystems - it resolves, extracts, and verifies npm packages including Git-based specifications. The vulnerable code lives in lib/util/add-git-sha.js, where addGitSha applies regex replacement and string concatenation against the raw spec string supplied by a caller. The CWE-1333 classification identifies this as Inefficient Regular Expression Complexity (ReDoS), meaning a pathological input drives the regex engine into exponential or polynomial backtracking. Because pacote is consumed transitively by npm itself, yarn, and any tool that accepts user-controllable package specs (registries, CI runners, dependency-analysis services), the surface area extends well beyond direct users of the library. The org.webjars.npm:pacote CPE indicates the same vulnerable code is also republished through the WebJars Maven distribution channel.

RemediationAI

Patch available per vendor advisory - upgrade pacote to the fixed release identified in the Snyk advisories at https://security.snyk.io/vuln/SNYK-JS-PACOTE-8225084 and https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-16874025 (exact fixed version is not independently confirmed in the data provided, so consult the advisory for the current safe version). Audit transitive dependencies with npm ls pacote and yarn why pacote, since most exposure is indirect through npm, npm-registry-fetch, or build tooling. If patching is blocked, compensating controls should focus on the input boundary: validate and length-cap any user-supplied package spec strings before they reach pacote (reject specs longer than a few hundred characters and those containing repeated

or @ delimiters), enforce per-request CPU/time budgets on package-resolution workers so a single bad spec cannot stall the event loop indefinitely, and isolate resolution in worker threads or subprocess sandboxes with timeouts. Avoid the broad workaround of disabling Git spec support unless your workflow truly does not need it, as that breaks legitimate git+https:// and github: dependencies.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise High Performance Computing 12 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Micro 5.3 Fixed
SUSE Linux Enterprise Micro 5.3 Fixed

Share

EUVD-2026-31793 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy