{“lastseen”:””,”description”:”jsdiff is a JavaScript text differencing implementation. Prior to versions 8.0.3, 5.2.2, and 4.0.4, attempting to parse a patch whose filename headers contain the line break characters `\\\\r`, `\\\\u2028`, or `\\\\u2029` can cause the `parsePatch` method to enter an infinite loop. It then consumes memory without limit until the process crashes due to running out of memory. Applications are therefore likely to be vulnerable to a denial-of-service attack if they call `parsePatch` with a user-provided patch as input. A large payload is not needed to trigger the vulnerability, so size limits on user input do not provide any protection. Furthermore, some applications may be vulnerable even when calling `parsePatch` on a patch generated by the application itself if the user is nonetheless able to control the filename headers (e.g. by directly providing the filenames of the files to be diffed). The `applyPatch` method is similarly affected if (and only if) called with a string representation of a patch as an argument, since under the hood it parses that string using `parsePatch`. Other methods of the library are unaffected. Finally, a second and lesser interdependent bug – a ReDOS – also exhibits when those same line break characters are present in a patch’s *patch* header (also known as its \\”leading garbage\\”). A maliciously-crafted patch header of length *n* can take `parsePatch` O(*n*\u00b3) time to parse. Versions 8.0.3, 5.2.2, and 4.0.4 contain a fix. As a workaround, do not attempt to parse patches that contain any of these characters: `\\\\r`, `\\\\u2028`, or `\\\\u2029`.”,”published”:”2026-01-22T02:23:44.059Z”,”modified”:”2026-01-22T12:58:09.928Z”,”type”:”cve”,”title”:”jsdiff has a Denial of Service vulnerability in parsePatch and applyPatch”,”source”:”GitHub_M”,”references”:”https:\/\/github.com\/kpdecker\/jsdiff\/security\/advisories\/GHSA-73rr-hh4g-fpgx\\nhttps:\/\/github.com\/kpdecker\/jsdiff\/issues\/653\\nhttps:\/\/github.com\/kpdecker\/jsdiff\/pull\/649\\nhttps:\/\/github.com\/kpdecker\/jsdiff\/commit\/15a1585230748c8ae6f8274c202e0c87309142f5″,”id”:”CVE-2026-24001″,”bulletinFamily”:””,”cwe”:[“CWE-400″,”CWE-1333″],”cvelist”:null,”sourceData”:”kpdecker jsdiff \\u003e= 6.0.0, \\u003c 8.0.3\\nkpdecker jsdiff \\u003e= 5.0.0, \\u003c 5.2.2\\nkpdecker jsdiff \\u003c 4.0.4″,”sourceHref”:””,”cvss”:{“score”:2.7,”severity”:”LOW”,”vector”:”CVSS:4.0\/AV:N\/AC:L\/AT:N\/PR:N\/UI:N\/VC:N\/VI:N\/VA:L\/SC:N\/SI:N\/SA:N\/E:U”,”version”:”4.0″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:””,”category_name”:”CVE”,”post_link”:””,”product”:”jsdiff”,”version”:”\\u003e= 6.0.0, \\u003c 8.0.3″,”vendor”:”kpdecker”,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:””,”description”:”jsdiff is a JavaScript text differencing implementation. Prior to versions 8.0.3, 5.2.2, and 4.0.4, attempting to parse a patch whose filename headers contain the line…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[6,8,150,12,71,13,7,11,5],"class_list":["post-36857","post","type-post","status-publish","format-standard","hentry","category-category_cve","tag-cve","tag-cvss","tag-cvss-27","tag-exploit","tag-low","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n