Versions of the package pacote from 11.2.7 and before 21.5.1 are vulnerable to Denial of Service (DoS) via the addGitSha function. An attacker can exploit this vulnerability by supplying a specially crafted spec.rawSpec value that triggers the function’s regex replacement and string-manipulation logic, causing excessive CPU consumption and potentially stalling or crashing the process.
{
"cna_assigner": "snyk",
"cwe_ids": [
"CWE-1333"
],
"unresolved_ranges": [
{
"extracted_events": [
{
"introduced": "11.2.7"
},
{
"fixed": "*"
}
],
"source": "AFFECTED_FIELD"
}
],
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/9xxx/CVE-2026-9496.json"
}