Skip to main content

Pacote

1 CVEs product

Monthly

CVE-2026-9496 HIGH PATCH This Week

Denial of service in npm's pacote package (versions 11.2.7 and later) allows remote unauthenticated attackers to exhaust CPU by submitting a crafted spec.rawSpec value to the addGitSha function, where vulnerable regex and string-manipulation logic exhibits catastrophic backtracking. CVSS 4.0 scores this 7.7 (high availability impact, no integrity/confidentiality impact) and SSVC labels exploitation as POC with automatable=yes, though EPSS remains low at 0.04% (11th percentile). No active exploitation has been reported and no public exploit identified at time of analysis, but the bug is trivially triggerable wherever pacote parses untrusted package specs.

Denial Of Service Pacote Org Webjars Npm
NVD GitHub VulDB
CVSS 4.0
7.7
EPSS
0.0%
EPSS 0% CVSS 7.7
HIGH PATCH This Week

Denial of service in npm's pacote package (versions 11.2.7 and later) allows remote unauthenticated attackers to exhaust CPU by submitting a crafted spec.rawSpec value to the addGitSha function, where vulnerable regex and string-manipulation logic exhibits catastrophic backtracking. CVSS 4.0 scores this 7.7 (high availability impact, no integrity/confidentiality impact) and SSVC labels exploitation as POC with automatable=yes, though EPSS remains low at 0.04% (11th percentile). No active exploitation has been reported and no public exploit identified at time of analysis, but the bug is trivially triggerable wherever pacote parses untrusted package specs.

Denial Of Service Pacote Org Webjars Npm
NVD GitHub VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy