216.73.216.204

CVE-2026-24001

· Published 22/01/2026 03:15 · Modified 22/01/2026 03:15

Labels: CVE-2026-24001 2026-01-22CVE-2026-24001CWE-400[email protected]

Essential information

Published
22/01/2026 03:15
Modified
22/01/2026 03:15
Author
Creator
CVSS
2.7 LOW (v3) 2.7 LOW (v4.0)
CISA KEV
No
CWE
CVSS vector

CVSS metrics

Description

jsdiff is a JavaScript text differencing implementation. Prior to versions 8.0.3, 5.2.2, and 4.0.4, attempting to parse a patch whose filename headers contain the line break characters `\r`, `\u2028`, or `\u2029` can cause the `parsePatch` method to enter an infinite loop. It then consumes memory without limit until the process crashes due to running out of memory. Applications are therefore likely to be vulnerable to a denial-of-service attack if they call `parsePatch` with a user-provided patch as input. A large payload is not needed to trigger the vulnerability, so size limits on user input do not provide any protection. Furthermore, some applications may be vulnerable even when calling `parsePatch` on a patch generated by the application itself if the user is nonetheless able to control the filename headers (e.g. by directly providing the filenames of the files to be diffed). The `applyPatch` method is similarly affected if (and only if) called with a string representation of a patch as an argument, since under the hood it parses that string using `parsePatch`. Other methods of the library are unaffected. Finally, a second and lesser interdependent bug - a ReDOS - also exhibits when those same line break characters are present in a patch's *patch* header (also known as its "leading garbage"). A maliciously-crafted patch header of length *n* can take `parsePatch` O(*n*³) time to parse. Versions 8.0.3, 5.2.2, and 4.0.4 contain a fix. As a workaround, do not attempt to parse patches that contain any of these characters: `\r`, `\u2028`, or `\u2029`.

NVD status

Status
Received — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
jsdiff / jsdiff cpe:2.3:a:jsdiff:jsdiff:<4.0.4:*:*:*:*:*:*:*
jsdiff / jsdiff cpe:2.3:a:jsdiff:jsdiff:<5.2.2:*:*:*:*:*:*:*
jsdiff / jsdiff cpe:2.3:a:jsdiff:jsdiff:<8.0.3:*:*:*:*:*:*:*

References