CVE-2026-9496

NameCVE-2026-9496
DescriptionVersions of the package pacote from 11.2.7 are vulnerable to Denial of Service (DoS) via the addGitSha function. An attacker can exploit this vulnerability by supplying a specially crafted spec.rawSpec value that triggers the function’s regex replacement and string-manipulation logic, causing excessive CPU consumption and potentially stalling or crashing the process.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1139159

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
npm (PTS)bullseye7.5.2+ds-2vulnerable
bookworm9.2.0~ds1-1vulnerable
trixie9.2.0~ds1-3vulnerable
forky, sid11.16.0+ds2-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
npmsource(unstable)(unfixed)1139159

Notes

[trixie] - npm <no-dsa> (Minor issue)
[bookworm] - npm <no-dsa> (Minor issue)
[bullseye] - npm <postponed> (Minor issue)
https://security.snyk.io/vuln/SNYK-JS-PACOTE-8225084
Search for package or bug name: Reporting problems