CVE-2026-24001

Name of the Vulnerable Software and Affected Versions jsdiff versions prior to 8.0.3 jsdiff versions prior to 5.2.2 jsdiff versions prior to 4.0.4

Description jsdiff is a JavaScript text differencing implementation. When processing a patch file, if the filename headers contain specific line break characters (

r

,

u2028

, or

u2029

), the

parsePatch

method can enter an infinite loop, leading to excessive memory consumption and a potential denial-of-service (DoS) attack. The

applyPatch

method is also affected when called with a string representation of a patch, as it utilizes the

parsePatch

method internally. A ReDOS (Regular Expression Denial of Service) vulnerability also exists when these line break characters are present in the patch header, potentially causing the

parsePatch

method to take O(n³) time to parse a maliciously crafted header of length n. This issue does not require a large payload to trigger and size limits on user input do not provide protection. Applications that call

parsePatch

with user-provided patches are susceptible.

Recommendations jsdiff versions prior to 8.0.3: Upgrade to version 8.0.3 or later. jsdiff versions prior to 5.2.2: Upgrade to version 5.2.2 or later. jsdiff versions prior to 4.0.4: Upgrade to version 4.0.4 or later. As a temporary workaround, avoid parsing patches containing the characters

r

,

u2028

, or

u2029

.