What is GHSA-w4pp-8pjf-rmxw?

GHSA-w4pp-8pjf-rmxw is a security advisory published by GitHub Security Advisories with High severity. Versions of the package pacote from 11.2.7 are vulnerable to Denial of Service (DoS) via the...

Which CVE IDs does GHSA-w4pp-8pjf-rmxw cover?

GHSA-w4pp-8pjf-rmxw covers the following CVE IDs: CVE-2026-9496. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

What is the CVSS v3 score of GHSA-w4pp-8pjf-rmxw?

GHSA-w4pp-8pjf-rmxw has a CVSS v3 base score of 7.5, published by GitHub Security Advisories.

GHSA-w4pp-8pjf-rmxwHighCVSS 7.5

Versions of the package pacote from 11.2.7 are vulnerable to Denial of Service (DoS) via the...

Vendor

GitHub Security Advisories

Published

May 26, 2026

Last Modified

May 26, 2026

🔗 CVE IDs covered (1)

CVE-2026-9496 →

📋 Description

Versions of the package pacote from 11.2.7 are vulnerable to Denial of Service (DoS) via the addGitSha function. An attacker can exploit this vulnerability by supplying a specially crafted spec.rawSpec value that triggers the function’s regex replacement and string-manipulation logic, causing excessive CPU consumption and potentially stalling or crashing the process.

🔗 References (5)

https://nvd.nist.gov/vuln/detail/CVE-2026-9496
https://github.com/npm/pacote/blob/9d7459440826ab4cf962ef98d8f3fd0c4d464b5c/lib/util/add-git-sha.js%23L2C1-L13C2
https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-16874025
https://security.snyk.io/vuln/SNYK-JS-PACOTE-8225084
https://github.com/advisories/GHSA-w4pp-8pjf-rmxw