[Pkg-javascript-devel] Bug#1139159: npm: CVE-2026-9496
Salvatore Bonaccorso
carnil at debian.org
Sat Jun 6 19:39:44 BST 2026
Source: npm
Version: 11.16.0+ds2-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
Hi,
The following vulnerability was published for npm.
CVE-2026-9496[0]:
| Versions of the package pacote from 11.2.7 are vulnerable to Denial
| of Service (DoS) via the addGitSha function. An attacker can exploit
| this vulnerability by supplying a specially crafted spec.rawSpec
| value that triggers the function’s regex replacement and string-
| manipulation logic, causing excessive CPU consumption and
| potentially stalling or crashing the process.
pacote is embedded/provided via src:npm.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-9496
https://www.cve.org/CVERecord?id=CVE-2026-9496
[1] https://security.snyk.io/vuln/SNYK-JS-PACOTE-8225084
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
More information about the Pkg-javascript-devel
mailing list