PatchSiren cyber security CVE debrief
CVE-2026-9496 npm CVE debrief
CVE-2026-9496 documents a Denial of Service (DoS) vulnerability in the pacote npm package, affecting versions from 11.2.7 onward. The flaw resides in the addGitSha function, where a maliciously crafted spec.rawSpec value can trigger inefficient regex replacement and string-manipulation logic, leading to excessive CPU consumption and potential process stalling or crash. The vulnerability was published to the CVE List on 26 May 2026 and carries a HIGH severity CVSS 4.0 score of 7.7. The weakness is associated with CWE-1333 (Inefficient Regular Expression Complexity) and CWE-400 (Uncontrolled Resource Consumption). No known exploitation in the wild or ransomware campaign use has been reported, and the vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.
- Vendor
- npm
- Product
- pacote
- CVSS
- HIGH 7.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-26
- Original CVE updated
- 2026-05-26
- Advisory published
- 2026-05-26
- Advisory updated
- 2026-05-26
Who should care
Development teams using pacote directly or transitively through npm, yarn, or other Node.js package managers; DevOps engineers managing CI/CD pipelines with automated dependency resolution; security teams monitoring supply chain risks in JavaScript/Node.js ecosystems; and organizations running private npm registries or internal package proxy services that utilize pacote for metadata retrieval and package extraction.
Technical summary
The pacote package (versions ≥11.2.7) contains a Denial of Service vulnerability in the addGitSha utility function. The function performs regex replacement and string manipulation on the spec.rawSpec parameter without adequate safeguards against computationally expensive inputs. An attacker can supply a specially crafted spec.rawSpec value that causes the regex engine to exhibit catastrophic backtracking or excessive iteration, resulting in high CPU utilization. This can stall the event loop in Node.js applications, leading to denial of service conditions. The vulnerability is remotely exploitable in contexts where attacker-controlled package specifications are processed by pacote, such as in automated build systems, package registries, or CI/CD pipelines that dynamically resolve git-based dependencies.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade pacote to a patched version when available; monitor the npm/pacote GitHub repository for security releases
- Review application dependencies to identify usage of pacote versions 11.2.7 and above
- Implement input validation and sanitization for any user-controlled spec.rawSpec values passed to pacote functions
- Consider implementing resource limits (CPU/memory) for processes utilizing pacote in production environments
- Monitor for unusual CPU consumption patterns in applications using pacote that may indicate exploitation attempts
Evidence notes
The vulnerability description and affected versions are sourced from the official CVE record and NVD entry. The technical details regarding the addGitSha function and spec.rawSpec manipulation are derived from Snyk's advisory. The CVSS 4.0 vector and score are taken from the NVD entry. No evidence of active exploitation or KEV listing was found in the supplied source corpus.
Official resources
The vulnerability was disclosed via Snyk's security research program and subsequently published in the NVD. The affected component is the pacote package, a widely-used npm library for package extraction and metadata retrieval. The vendor (N