Pacote Denial-of-Service Vulnerability in Versions 11.2.7 and Later

A denial-of-service vulnerability has been identified in the Pacote package, specifically in versions 11.2.7 and later. The issue arises in the addGitSha function, where an attacker can exploit the vulnerability by providing a specially crafted spec.rawSpec value. This triggers the function's regex replacement and string-manipulation logic, leading to excessive CPU usage that can stall or crash the process.

Impact

Exploitation of this vulnerability causes high CPU consumption, potentially stalling or crashing the process.

Reproduction

To reproduce this vulnerability, first install the Pacote package. Then, create a JavaScript file that imports the addGitSha function from Pacote's utility library. In the file, generate a string consisting of one million hash characters, followed by a newline and an '@' symbol. This crafted string should be set as the rawSpec value in a spec object. After logging 'start' to the console, call the addGitSha function with the spec object. Finally, log 'end' to the console. When this script is run, the process will become unresponsive due to high CPU usage.