Description
jsdiff is a JavaScript text differencing implementation. Prior to versions 8.0.3, 5.2.2, 4.0.4, and 3.5.1, attempting to parse a patch whose filename headers contain the line break characters `\r`, `\u2028`, or `\u2029` can cause the `parsePatch` method to enter an infinite loop. It then consumes memory without limit until the process crashes due to running out of memory. Applications are therefore likely to be vulnerable to a denial-of-service attack if they call `parsePatch` with a user-provided patch as input. A large payload is not needed to trigger the vulnerability, so size limits on user input do not provide any protection. Furthermore, some applications may be vulnerable even when calling `parsePatch` on a patch generated by the application itself if the user is nonetheless able to control the filename headers (e.g. by directly providing the filenames of the files to be diffed). The `applyPatch` method is similarly affected if (and only if) called with a string representation of a patch as an argument, since under the hood it parses that string using `parsePatch`. Other methods of the library are unaffected. Finally, a second and lesser interdependent bug - a ReDOS - also exhibits when those same line break characters are present in a patch's *patch* header (also known as its "leading garbage"). A maliciously-crafted patch header of length *n* can take `parsePatch` O(*n*³) time to parse. Versions 8.0.3, 5.2.2, 4.0.4, and 3.5.1 contain a fix. As a workaround, do not attempt to parse patches that contain any of these characters: `\r`, `\u2028`, or `\u2029`.
Published: 2026-01-22
Score: 2.7 Low
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch
AI Analysis

Impact

jsdiff’s parsePatch and applyPatch methods can enter an infinite loop when a patch’s filename headers contain carriage return or Unicode line separator characters, consuming unlimited memory until the node.js process terminates. The same flaw also exists in applyPatch when a string patch is parsed. An additional, less intense regular-expression denial of service (ReDOS) can trigger with large patch headers that include these characters, causing parsePatch to execute in cubic time. The vulnerability allows an attacker to cause a targeted application that uses jsdiff to crash or become unresponsive by supplying a specially crafted patch; a large payload is not required, and typical size limits do not mitigate it.

Affected Systems

The security issue exists in kpdecker’s jsdiff library in all releases prior to version 8.0.3, 5.2.2, 4.0.4, and 3.5.1. Those specific releases are vulnerable if parsePatch or applyPatch is invoked with a user-controlled patch. Updated releases (8.0.3 and later, 5.2.2 and later, 4.0.4 and later, or 3.5.1 and later) contain the fix and are not affected.

Risk and Exploitability

The CVSS score is 2.7, indicating low to moderate severity, and the EPSS score is below 1%, suggesting a very low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog. The attack vector is likely to be an application that accepts user-supplied patches or filenames; by providing a patch containing forbidden line break characters, an attacker can trigger the denial of service. The impact is limited to the process hosting jsdiff, with no direct escalation of privileges or data breach evident from the CVE description.

Generated by OpenCVE AI on April 18, 2026 at 15:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade jsdiff to the latest release (at least v8.0.3 for the 8.x series, v5.2.2 for the 5.x series, v4.0.4 for the 4.x series, or v3.5.1 for the 3.x series)
  • Avoid parsing patches that contain carriage return, Unicode line separator U+2028, or U+2029 characters in any header
  • Validate and sanitize filenames and patch headers before passing them to parsePatch or applyPatch

Generated by OpenCVE AI on April 18, 2026 at 15:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-73rr-hh4g-fpgx jsdiff has a Denial of Service vulnerability in parsePatch and applyPatch
History

Wed, 04 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:kpdecker:jsdiff:*:*:*:*:*:node.js:*:*

Fri, 30 Jan 2026 17:30:00 +0000

Type Values Removed Values Added
Description jsdiff is a JavaScript text differencing implementation. Prior to versions 8.0.3, 5.2.2, and 4.0.4, attempting to parse a patch whose filename headers contain the line break characters `\r`, `\u2028`, or `\u2029` can cause the `parsePatch` method to enter an infinite loop. It then consumes memory without limit until the process crashes due to running out of memory. Applications are therefore likely to be vulnerable to a denial-of-service attack if they call `parsePatch` with a user-provided patch as input. A large payload is not needed to trigger the vulnerability, so size limits on user input do not provide any protection. Furthermore, some applications may be vulnerable even when calling `parsePatch` on a patch generated by the application itself if the user is nonetheless able to control the filename headers (e.g. by directly providing the filenames of the files to be diffed). The `applyPatch` method is similarly affected if (and only if) called with a string representation of a patch as an argument, since under the hood it parses that string using `parsePatch`. Other methods of the library are unaffected. Finally, a second and lesser interdependent bug - a ReDOS - also exhibits when those same line break characters are present in a patch's *patch* header (also known as its "leading garbage"). A maliciously-crafted patch header of length *n* can take `parsePatch` O(*n*³) time to parse. Versions 8.0.3, 5.2.2, and 4.0.4 contain a fix. As a workaround, do not attempt to parse patches that contain any of these characters: `\r`, `\u2028`, or `\u2029`. jsdiff is a JavaScript text differencing implementation. Prior to versions 8.0.3, 5.2.2, 4.0.4, and 3.5.1, attempting to parse a patch whose filename headers contain the line break characters `\r`, `\u2028`, or `\u2029` can cause the `parsePatch` method to enter an infinite loop. It then consumes memory without limit until the process crashes due to running out of memory. Applications are therefore likely to be vulnerable to a denial-of-service attack if they call `parsePatch` with a user-provided patch as input. A large payload is not needed to trigger the vulnerability, so size limits on user input do not provide any protection. Furthermore, some applications may be vulnerable even when calling `parsePatch` on a patch generated by the application itself if the user is nonetheless able to control the filename headers (e.g. by directly providing the filenames of the files to be diffed). The `applyPatch` method is similarly affected if (and only if) called with a string representation of a patch as an argument, since under the hood it parses that string using `parsePatch`. Other methods of the library are unaffected. Finally, a second and lesser interdependent bug - a ReDOS - also exhibits when those same line break characters are present in a patch's *patch* header (also known as its "leading garbage"). A maliciously-crafted patch header of length *n* can take `parsePatch` O(*n*³) time to parse. Versions 8.0.3, 5.2.2, 4.0.4, and 3.5.1 contain a fix. As a workaround, do not attempt to parse patches that contain any of these characters: `\r`, `\u2028`, or `\u2029`.

Wed, 28 Jan 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Important

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Kpdecker
Kpdecker jsdiff
Vendors & Products Kpdecker
Kpdecker jsdiff

Thu, 22 Jan 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 22 Jan 2026 02:45:00 +0000

Type Values Removed Values Added
Description jsdiff is a JavaScript text differencing implementation. Prior to versions 8.0.3, 5.2.2, and 4.0.4, attempting to parse a patch whose filename headers contain the line break characters `\r`, `\u2028`, or `\u2029` can cause the `parsePatch` method to enter an infinite loop. It then consumes memory without limit until the process crashes due to running out of memory. Applications are therefore likely to be vulnerable to a denial-of-service attack if they call `parsePatch` with a user-provided patch as input. A large payload is not needed to trigger the vulnerability, so size limits on user input do not provide any protection. Furthermore, some applications may be vulnerable even when calling `parsePatch` on a patch generated by the application itself if the user is nonetheless able to control the filename headers (e.g. by directly providing the filenames of the files to be diffed). The `applyPatch` method is similarly affected if (and only if) called with a string representation of a patch as an argument, since under the hood it parses that string using `parsePatch`. Other methods of the library are unaffected. Finally, a second and lesser interdependent bug - a ReDOS - also exhibits when those same line break characters are present in a patch's *patch* header (also known as its "leading garbage"). A maliciously-crafted patch header of length *n* can take `parsePatch` O(*n*³) time to parse. Versions 8.0.3, 5.2.2, and 4.0.4 contain a fix. As a workaround, do not attempt to parse patches that contain any of these characters: `\r`, `\u2028`, or `\u2029`.
Title jsdiff has a Denial of Service vulnerability in parsePatch and applyPatch
Weaknesses CWE-1333
CWE-400
References
Metrics cvssV4_0

{'score': 2.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U'}

Subscriptions

Kpdecker Jsdiff
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-03T16:03:16.859Z

Reserved: 2026-01-19T18:49:20.658Z

Link: CVE-2026-24001

cve-icon Vulnrichment

Updated: 2026-01-22T12:58:03.694Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-22T03:15:47.627

Modified: 2026-03-04T15:23:41.347

Link: CVE-2026-24001

cve-icon Redhat

Severity : Important

Publid Date: 2026-01-22T02:23:44Z

Links: CVE-2026-24001 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T15:30:03Z

Weaknesses