[Pkg-javascript-devel] Bug#1139159: Bug#1139159: npm: CVE-2026-9496
Salvatore Bonaccorso
carnil at debian.org
Sun Jun 21 12:37:20 BST 2026
Hi Xavier,
On Sun, Jun 21, 2026 at 12:26:07PM +0200, Xavier wrote:
> Control: fixed -1 7.6.0+ds-1
>
> Le 06/06/2026 à 20:39, Salvatore Bonaccorso a écrit :
> > Source: npm
> > Version: 11.16.0+ds2-1
> > Severity: important
> > Tags: security upstream
> > X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
> >
> > Hi,
> >
> > The following vulnerability was published for npm.
> >
> > CVE-2026-9496[0]:
> > | Versions of the package pacote from 11.2.7 are vulnerable to Denial
> > | of Service (DoS) via the addGitSha function. An attacker can exploit
> > | this vulnerability by supplying a specially crafted spec.rawSpec
> > | value that triggers the function’s regex replacement and string-
> > | manipulation logic, causing excessive CPU consumption and
> > | potentially stalling or crashing the process.
> >
> > pacote is embedded/provided via src:npm.
> >
> > If you fix the vulnerability please also make sure to include the
> > CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> >
> > For further information see:
> >
> > [0] https://security-tracker.debian.org/tracker/CVE-2026-9496
> > https://www.cve.org/CVERecord?id=CVE-2026-9496
> > [1] https://security.snyk.io/vuln/SNYK-JS-PACOTE-8225084
> >
> > Please adjust the affected versions in the BTS as needed.
> >
> > Regards,
> > Salvatore
>
> Hi,
>
> pacote reach version 11.2.7 in npm 7.6.0.
IMHO closing is wrong. The version affected are in my understanding
pacote >= 11.2.7 (not fixed version). and still vulnerable up to
21.5.1 and fixed.
Can you recheck please.
Regards,
Salvatore
More information about the Pkg-javascript-devel
mailing list