CVE-2026-24001

LOW EPSS 39.7%
Published Jan 22, 20265mo ago · Modified Jun 17, 20262w ago
2.7 CVSS 4.0
Low
Find Similar
Published Jan 22, 2026 5mo ago
Last Modified Jun 17, 2026 2w ago

Description

jsdiff is a JavaScript text differencing implementation. Prior to versions 8.0.3, 5.2.2, 4.0.4, and 3.5.1, attempting to parse a patch whose filename headers contain the line break characters `\r`, `\u2028`, or `\u2029` can cause the `parsePatch` method to enter an infinite loop. It then consumes memory without limit until the process crashes due to running out of memory. Applications are therefore likely to be vulnerable to a denial-of-service attack if they call `parsePatch` with a user-provided patch as input. A large payload is not needed to trigger the vulnerability, so size limits on user input do not provide any protection. Furthermore, some applications may be vulnerable even when calling `parsePatch` on a patch generated by the application itself if the user is nonetheless able to control the filename headers (e.g. by directly providing the filenames of the files to be diffed). The `applyPatch` method is similarly affected if (and only if) called with a string representation of a patch as an argument, since under the hood it parses that string using `parsePatch`. Other methods of the library are unaffected. Finally, a second and lesser interdependent bug - a ReDOS - also exhibits when those same line break characters are present in a patch's *patch* header (also known as its "leading garbage"). A maliciously-crafted patch header of length *n* can take `parsePatch` O(*n*³) time to parse. Versions 8.0.3, 5.2.2, 4.0.4, and 3.5.1 contain a fix. As a workaround, do not attempt to parse patches that contain any of these characters: `\r`, `\u2028`, or `\u2029`.

CVSS Details

Base Score
2.7
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope X

Threat Intelligence

EPSS Exploit Probability
39.7% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 2

CWE-1333
CWE-400 Uncontrolled Resource Consumption Resource Mgmt

Affected Products 4

VendorProductVersionRange
kpdeckerjsdiff* <3.5.1
kpdeckerjsdiff*≥4.0.0  –  <4.0.4
kpdeckerjsdiff*≥5.0.0  –  <5.2.2
kpdeckerjsdiff*≥6.0.0  –  <8.0.3

References 4

  • github.com https://github.com/kpdecker/jsdiff/commit/15a1585230748c8ae6f8274c202e0c87309142f5
    Patch
  • github.com https://github.com/kpdecker/jsdiff/issues/653
    Issue Tracking
  • github.com https://github.com/kpdecker/jsdiff/pull/649
    Issue TrackingPatch
  • github.com https://github.com/kpdecker/jsdiff/security/advisories/GHSA-73rr-hh4g-fpgx
    Vendor Advisory

Remediation

  • github.com https://github.com/kpdecker/jsdiff/commit/15a1585230748c8ae6f8274c202e0c87309142f5
    Patch
  • github.com https://github.com/kpdecker/jsdiff/pull/649
    Issue TrackingPatch