CVE-2026-9496

Vulnerability

The pacote package (versions >=11.2.7) is a JavaScript package downloader. It contains a Denial of Service (DoS) vulnerability in the addGitSha function (/lib/util/add-git-sha). The function applies regex replacement and string manipulation on the spec.rawSpec value; a specially crafted input with a long sequence of # characters followed by \n@ triggers exponential CPU usage, effectively hanging the process. [1][2]

Exploitation

An attacker can exploit this vulnerability by crafting a malicious input for the spec.rawSpec field. No authentication is required; the attacker only needs to trigger a package resolution request that invokes addGitSha with the crafted spec. The proof of concept demonstrates that providing a rawSpec string of one million # characters followed by \n@ causes the process to hang indefinitely with high CPU usage. [1][2]

Impact

Successful exploitation results in a Denial of Service (DoS). The affected process becomes unresponsive and may be killed due to excessive resource consumption. This can lead to service disruption for applications relying on pacote to download or resolve npm packages. [1][2]

Mitigation

As of the latest advisory, there is no fixed version for pacote. Users should monitor the package repository for updates or consider replacing pacote with an alternative package if feasible. No workarounds are mentioned in the available references. [1][2]