Org Webjars Npm
Monthly
Denial of service in npm's pacote package (versions 11.2.7 and later) allows remote unauthenticated attackers to exhaust CPU by submitting a crafted spec.rawSpec value to the addGitSha function, where vulnerable regex and string-manipulation logic exhibits catastrophic backtracking. CVSS 4.0 scores this 7.7 (high availability impact, no integrity/confidentiality impact) and SSVC labels exploitation as POC with automatable=yes, though EPSS remains low at 0.04% (11th percentile). No active exploitation has been reported and no public exploit identified at time of analysis, but the bug is trivially triggerable wherever pacote parses untrusted package specs.
Denial of service in npm's pacote package (versions 11.2.7 and later) allows remote unauthenticated attackers to exhaust CPU by submitting a crafted spec.rawSpec value to the addGitSha function, where vulnerable regex and string-manipulation logic exhibits catastrophic backtracking. CVSS 4.0 scores this 7.7 (high availability impact, no integrity/confidentiality impact) and SSVC labels exploitation as POC with automatable=yes, though EPSS remains low at 0.04% (11th percentile). No active exploitation has been reported and no public exploit identified at time of analysis, but the bug is trivially triggerable wherever pacote parses untrusted package specs.