Guiyi-He

**Name of the Vulnerable Software and Affected Versions** jsdiff versions prior to 8.0.3 jsdiff versions prior to 5.2.2 jsdiff versions prior to 4.0.4 **Description** jsdiff is a JavaScript text differencing implementation. When processing a patch file, if the filename headers contain specific line break characters (`r`, `u2028`, or `u2029`), the `parsePatch` method can enter an infinite loop, leading to excessive memory consumption and a potential denial-of-service (DoS) attack. The `applyPatch` method is also affected when called with a string representation of a patch, as it utilizes the `parsePatch` method internally. A ReDOS (Regular Expression Denial of Service) vulnerability also exists when these line break characters are present in the patch header, potentially causing the `parsePatch` method to take O(n³) time to parse a maliciously crafted header of length n. This issue does not require a large payload to trigger and size limits on user input do not provide protection. Applications that call `parsePatch` with user-provided patches are susceptible. **Recommendations** jsdiff versions prior to 8.0.3: Upgrade to version 8.0.3 or later. jsdiff versions prior to 5.2.2: Upgrade to version 5.2.2 or later. jsdiff versions prior to 4.0.4: Upgrade to version 4.0.4 or later. As a temporary workaround, avoid parsing patches containing the characters `r`, `u2028`, or `u2029`.