// Service

Railway

// Alerts

Recent threats

CVE-2026-9496 is a Denial of Service vulnerability in the pacote npm package (versions from 11.2.7), a dependency used in npm-based build and package-fetching pipelines such as those underlying Railway's build system. An attacker can supply a specially crafted spec.rawSpec value to the addGitSha function, triggering inefficient regex and string-manipulation logic that causes excessive CPU consumption, potentially stalling or crashing the process. The vulnerability is remotely exploitable without authentication and requires no user interaction (CWE-400, CWE-1333). CVSS scores are 7.5 (v3.1) and 7.7 (v4.0), both rated HIGH. No active exploitation in the wild has been reported; a patch is available and Railway, as a managed cloud platform, is expected to apply server-side remediation.