#1139159 npm: CVE-2026-9496

Package:
src:npm
Source:
src:npm
Submitter:
Salvatore Bonaccorso
Date:
2026-06-21 11:47:02 UTC
Severity:
normal
Tags:
#1139159#5
Date:
2026-06-06 18:39:44 UTC
From:
To:
Hi,

The following vulnerability was published for npm.

CVE-2026-9496[0]:
| Versions of the package pacote from 11.2.7 are vulnerable to Denial
| of Service (DoS) via the addGitSha function. An attacker can exploit
| this vulnerability by supplying a specially crafted spec.rawSpec
| value that triggers the function’s regex replacement and string-
| manipulation logic,  causing excessive CPU consumption and
| potentially stalling or crashing the process.

pacote is embedded/provided via src:npm.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-9496
https://www.cve.org/CVERecord?id=CVE-2026-9496
[1] https://security.snyk.io/vuln/SNYK-JS-PACOTE-8225084

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore
#1139159#10
Date:
2026-06-21 10:26:07 UTC
From:
To:
Le 06/06/2026 à 20:39, Salvatore Bonaccorso a écrit :

Hi,

pacote reach version 11.2.7 in npm 7.6.0.

Best regards,
Xavier
#1139159#15
Date:
2026-06-21 11:37:20 UTC
From:
To:
Hi Xavier,

IMHO closing is wrong. The version affected are in my understanding
pacote >= 11.2.7 (not fixed version). and still vulnerable up to
21.5.1 and fixed.

Can you recheck please.

Regards,
Salvatore