CVE-2026-24001

Name of the Vulnerable Software and Affected Versions jsdiff versions prior to 8.0.3 jsdiff versions prior to 5.2.2 jsdiff versions prior to 4.0.4

Description jsdiff is a JavaScript text differencing implementation. When processing a patch file, if the filename headers contain specific line break characters (r, u2028, or u2029), the parsePatch method can enter an infinite loop, leading to excessive memory consumption and a potential denial-of-service (DoS) attack. The applyPatch method is also affected when called with a string representation of a patch, as it utilizes the parsePatch method internally. A ReDOS (Regular Expression Denial of Service) vulnerability also exists when these line break characters are present in the patch header, potentially causing the parsePatch method to take O(n³) time to parse a maliciously crafted header of length n. This issue does not require a large payload to trigger and size limits on user input do not provide protection. Applications that call parsePatch with user-provided patches are susceptible.

Recommendations jsdiff versions prior to 8.0.3: Upgrade to version 8.0.3 or later. jsdiff versions prior to 5.2.2: Upgrade to version 5.2.2 or later. jsdiff versions prior to 4.0.4: Upgrade to version 4.0.4 or later. As a temporary workaround, avoid parsing patches containing the characters r, u2028, or u2029.