{"id":"CVE-2026-9496","details":"Versions of the package pacote from 11.2.7 and before 21.5.1 are vulnerable to Denial of Service (DoS) via the addGitSha function. An attacker can exploit this vulnerability by supplying a specially crafted spec.rawSpec value that triggers the function’s regex replacement and string-manipulation logic,  causing excessive CPU consumption and potentially stalling or crashing the process.","modified":"2026-07-09T10:14:57.572299249Z","published":"2026-05-26T05:00:07.813Z","related":["SUSE-SU-2026:22368-1","SUSE-SU-2026:2633-1","SUSE-SU-2026:2647-1","SUSE-SU-2026:2695-1","openSUSE-SU-2026:11121-1","openSUSE-SU-2026:21058-1","openSUSE-SU-2026:21236-1"],"database_specific":{"cwe_ids":["CWE-1333"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/9xxx/CVE-2026-9496.json","unresolved_ranges":[{"source":"AFFECTED_FIELD","extracted_events":[{"introduced":"11.2.7"},{"fixed":"*"}]}],"cna_assigner":"snyk"},"references":[{"type":"WEB","url":"https://github.com/npm/pacote/blob/9d7459440826ab4cf962ef98d8f3fd0c4d464b5c/lib/util/add-git-sha.js%23L2C1-L13C2"},{"type":"WEB","url":"https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-16874025"},{"type":"WEB","url":"https://security.snyk.io/vuln/SNYK-JS-PACOTE-8225084"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/9xxx/CVE-2026-9496.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-9496"},{"type":"FIX","url":"https://github.com/npm/pacote/commit/ce804fb1647fe1699b2f87efd01ea9f4efed8508"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/npm/pacote","events":[{"introduced":"7cedb6b5dbd68920d376a5ce6e9025679a78c384"},{"fixed":"d36266f5e4001cffdf70de242b6e825cef06f0c1"}],"database_specific":{"extracted_events":[{"introduced":"11.2.7"},{"fixed":"21.5.1"}],"source":"AFFECTED_FIELD"}}],"versions":["v21.5.0","v21.4.0","v20.0.0","v19.0.1","v21.3.1","v21.3.0","v21.2.0","v21.1.0","v21.0.4","v21.0.3","v21.0.2","v21.0.1","v21.0.0","v19.0.0","v18.0.6","v18.0.5","v18.0.4","v18.0.3","v18.0.2","v18.0.1","v18.0.0","v17.0.7","v17.0.6","v17.0.5","v17.0.4","v17.0.3","v17.0.2","v17.0.1","v17.0.0","v16.0.0","v15.2.0","v15.1.3","v15.1.2","v15.1.1","v15.1.0","v15.0.8","v15.0.7","v15.0.6","v15.0.5","v15.0.4","v15.0.3","v15.0.2","v15.0.1","v15.0.0","v14.0.0","v14.0.0-pre.3","v14.0.0-pre.2","v14.0.0-pre.1","v14.0.0-pre.0","v13.6.2","v13.6.1","v13.6.0","v13.5.0","v13.4.1","v13.4.0","v13.3.0","v13.2.0","v13.1.1","v13.1.0","v13.0.6","v13.0.5","v13.0.4","v13.0.3","v13.0.2","v13.0.1","v13.0.0","v12.0.3","v12.0.2","v12.0.1","v12.0.0","v11.3.5","v11.3.4","v11.3.3","v11.3.2","v11.3.1","v11.2.7"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-9496.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P"}]}