npm/pacote

Releases237

Frequency2 weeks 11 hours

Last Release 9 days ago

Stars393

npm fetcher

CVE History

CVE	Published	CVSS v3	CVSS v2
CVE-2026-9496 ↗	May 26, 2026Tuesday, 26 May 2026, 07:16	7.5 HIGH	—
Versions of the package pacote from 11.2.7 are vulnerable to Denial of Service (DoS) via the addGitSha function. An attacker can exploit this vulnerability by supplying a specially crafted spec.rawSpec value that triggers the function’s regex replacement and string-manipulation logic, causing excessive CPU consumption and potentially stalling or crashing the process.