{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24001", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-19T18:49:20.658Z", "datePublished": "2026-01-22T02:23:44.059Z", "dateUpdated": "2026-02-03T16:03:16.859Z"}, "containers": {"cna": {"title": "jsdiff has a Denial of Service vulnerability in parsePatch and applyPatch", "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "lang": "en", "description": "CWE-400: Uncontrolled Resource Consumption", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-1333", "lang": "en", "description": "CWE-1333: Inefficient Regular Expression Complexity", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 2.7, "baseSeverity": "LOW", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U", "version": "4.0"}}], "references": [{"name": "https://github.com/kpdecker/jsdiff/security/advisories/GHSA-73rr-hh4g-fpgx", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/kpdecker/jsdiff/security/advisories/GHSA-73rr-hh4g-fpgx"}, {"name": "https://github.com/kpdecker/jsdiff/issues/653", "tags": ["x_refsource_MISC"], "url": "https://github.com/kpdecker/jsdiff/issues/653"}, {"name": "https://github.com/kpdecker/jsdiff/pull/649", "tags": ["x_refsource_MISC"], "url": "https://github.com/kpdecker/jsdiff/pull/649"}, {"name": "https://github.com/kpdecker/jsdiff/commit/15a1585230748c8ae6f8274c202e0c87309142f5", "tags": ["x_refsource_MISC"], "url": "https://github.com/kpdecker/jsdiff/commit/15a1585230748c8ae6f8274c202e0c87309142f5"}], "affected": [{"vendor": "kpdecker", "product": "jsdiff", "versions": [{"version": ">= 6.0.0, < 8.0.3", "status": "affected"}, {"version": ">= 5.0.0, < 5.2.2", "status": "affected"}, {"version": ">= 4.0.0, < 4.0.4", "status": "affected"}, {"version": "< 3.5.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-30T17:16:10.830Z"}, "descriptions": [{"lang": "en", "value": "jsdiff is a JavaScript text differencing implementation. Prior to versions 8.0.3, 5.2.2, 4.0.4, and 3.5.1, attempting to parse a patch whose filename headers contain the line break characters `\\r`, `\\u2028`, or `\\u2029` can cause the `parsePatch` method to enter an infinite loop. It then consumes memory without limit until the process crashes due to running out of memory. Applications are therefore likely to be vulnerable to a denial-of-service attack if they call `parsePatch` with a user-provided patch as input. A large payload is not needed to trigger the vulnerability, so size limits on user input do not provide any protection. Furthermore, some applications may be vulnerable even when calling `parsePatch` on a patch generated by the application itself if the user is nonetheless able to control the filename headers (e.g. by directly providing the filenames of the files to be diffed). The `applyPatch` method is similarly affected if (and only if) called with a string representation of a patch as an argument, since under the hood it parses that string using `parsePatch`. Other methods of the library are unaffected. Finally, a second and lesser interdependent bug - a ReDOS - also exhibits when those same line break characters are present in a patch's *patch* header (also known as its \"leading garbage\"). A maliciously-crafted patch header of length *n* can take `parsePatch` O(*n*\u00b3) time to parse. Versions 8.0.3, 5.2.2, 4.0.4, and 3.5.1 contain a fix. As a workaround, do not attempt to parse patches that contain any of these characters: `\\r`, `\\u2028`, or `\\u2029`."}], "source": {"advisory": "GHSA-73rr-hh4g-fpgx", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-22T12:57:00.484983Z", "id": "CVE-2026-24001", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-03T16:03:16.859Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24001", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-22T12:57:00.484983Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-22T12:58:03.694Z"}}], "cna": {"title": "jsdiff has a Denial of Service vulnerability in parsePatch and applyPatch", "source": {"advisory": "GHSA-73rr-hh4g-fpgx", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 2.7, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "kpdecker", "product": "jsdiff", "versions": [{"status": "affected", "version": ">= 6.0.0, < 8.0.3"}, {"status": "affected", "version": ">= 5.0.0, < 5.2.2"}, {"status": "affected", "version": ">= 4.0.0, < 4.0.4"}, {"status": "affected", "version": "< 3.5.1"}]}], "references": [{"url": "https://github.com/kpdecker/jsdiff/security/advisories/GHSA-73rr-hh4g-fpgx", "name": "https://github.com/kpdecker/jsdiff/security/advisories/GHSA-73rr-hh4g-fpgx", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/kpdecker/jsdiff/issues/653", "name": "https://github.com/kpdecker/jsdiff/issues/653", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/kpdecker/jsdiff/pull/649", "name": "https://github.com/kpdecker/jsdiff/pull/649", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/kpdecker/jsdiff/commit/15a1585230748c8ae6f8274c202e0c87309142f5", "name": "https://github.com/kpdecker/jsdiff/commit/15a1585230748c8ae6f8274c202e0c87309142f5", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "jsdiff is a JavaScript text differencing implementation. Prior to versions 8.0.3, 5.2.2, 4.0.4, and 3.5.1, attempting to parse a patch whose filename headers contain the line break characters `\\r`, `\\u2028`, or `\\u2029` can cause the `parsePatch` method to enter an infinite loop. It then consumes memory without limit until the process crashes due to running out of memory. Applications are therefore likely to be vulnerable to a denial-of-service attack if they call `parsePatch` with a user-provided patch as input. A large payload is not needed to trigger the vulnerability, so size limits on user input do not provide any protection. Furthermore, some applications may be vulnerable even when calling `parsePatch` on a patch generated by the application itself if the user is nonetheless able to control the filename headers (e.g. by directly providing the filenames of the files to be diffed). The `applyPatch` method is similarly affected if (and only if) called with a string representation of a patch as an argument, since under the hood it parses that string using `parsePatch`. Other methods of the library are unaffected. Finally, a second and lesser interdependent bug - a ReDOS - also exhibits when those same line break characters are present in a patch's *patch* header (also known as its \"leading garbage\"). A maliciously-crafted patch header of length *n* can take `parsePatch` O(*n*\u00b3) time to parse. Versions 8.0.3, 5.2.2, 4.0.4, and 3.5.1 contain a fix. As a workaround, do not attempt to parse patches that contain any of these characters: `\\r`, `\\u2028`, or `\\u2029`."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-400", "description": "CWE-400: Uncontrolled Resource Consumption"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1333", "description": "CWE-1333: Inefficient Regular Expression Complexity"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-30T17:16:10.830Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24001", "state": "PUBLISHED", "dateUpdated": "2026-02-03T16:03:16.859Z", "dateReserved": "2026-01-19T18:49:20.658Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-01-22T02:23:44.059Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:kpdecker:jsdiff:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "44451D09-9FDB-43D6-8E29-33D8306067CC", "versionEndExcluding": "3.5.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:kpdecker:jsdiff:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "AD273CF5-9C48-4A54-BBBF-3C921F993312", "versionEndExcluding": "4.0.4", "versionStartIncluding": "4.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:kpdecker:jsdiff:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "7A5DF5EF-0C3D-4A23-B468-CD94F474A87C", "versionEndExcluding": "5.2.2", "versionStartIncluding": "5.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:kpdecker:jsdiff:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "FCA7FF3F-546F-494B-A5B0-42A93E4181EC", "versionEndExcluding": "8.0.3", "versionStartIncluding": "6.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "jsdiff is a JavaScript text differencing implementation. Prior to versions 8.0.3, 5.2.2, 4.0.4, and 3.5.1, attempting to parse a patch whose filename headers contain the line break characters `\\r`, `\\u2028`, or `\\u2029` can cause the `parsePatch` method to enter an infinite loop. It then consumes memory without limit until the process crashes due to running out of memory. Applications are therefore likely to be vulnerable to a denial-of-service attack if they call `parsePatch` with a user-provided patch as input. A large payload is not needed to trigger the vulnerability, so size limits on user input do not provide any protection. Furthermore, some applications may be vulnerable even when calling `parsePatch` on a patch generated by the application itself if the user is nonetheless able to control the filename headers (e.g. by directly providing the filenames of the files to be diffed). The `applyPatch` method is similarly affected if (and only if) called with a string representation of a patch as an argument, since under the hood it parses that string using `parsePatch`. Other methods of the library are unaffected. Finally, a second and lesser interdependent bug - a ReDOS - also exhibits when those same line break characters are present in a patch's *patch* header (also known as its \"leading garbage\"). A maliciously-crafted patch header of length *n* can take `parsePatch` O(*n*\u00b3) time to parse. Versions 8.0.3, 5.2.2, 4.0.4, and 3.5.1 contain a fix. As a workaround, do not attempt to parse patches that contain any of these characters: `\\r`, `\\u2028`, or `\\u2029`."}], "id": "CVE-2026-24001", "lastModified": "2026-03-04T15:23:41.347", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 2.7, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "UNREPORTED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-01-22T03:15:47.627", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/kpdecker/jsdiff/commit/15a1585230748c8ae6f8274c202e0c87309142f5"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking"], "url": "https://github.com/kpdecker/jsdiff/issues/653"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/kpdecker/jsdiff/pull/649"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/kpdecker/jsdiff/security/advisories/GHSA-73rr-hh4g-fpgx"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}, {"lang": "en", "value": "CWE-1333"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{"bugzilla": {"description": "jsdiff: denial of service vulnerability in parsePatch and applyPatch", "id": "2431930", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2431930"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-400", "details": ["jsdiff is a JavaScript text differencing implementation. Prior to versions 8.0.3, 5.2.2, and 4.0.4, attempting to parse a patch whose filename headers contain the line break characters `\\r`, `\\u2028`, or `\\u2029` can cause the `parsePatch` method to enter an infinite loop. It then consumes memory without limit until the process crashes due to running out of memory. Applications are therefore likely to be vulnerable to a denial-of-service attack if they call `parsePatch` with a user-provided patch as input. A large payload is not needed to trigger the vulnerability, so size limits on user input do not provide any protection. Furthermore, some applications may be vulnerable even when calling `parsePatch` on a patch generated by the application itself if the user is nonetheless able to control the filename headers (e.g. by directly providing the filenames of the files to be diffed). The `applyPatch` method is similarly affected if (and only if) called with a string representation of a patch as an argument, since under the hood it parses that string using `parsePatch`. Other methods of the library are unaffected. Finally, a second and lesser interdependent bug - a ReDOS - also exhibits when those same line break characters are present in a patch's *patch* header (also known as its \"leading garbage\"). A maliciously-crafted patch header of length *n* can take `parsePatch` O(*n*\u00b3) time to parse. Versions 8.0.3, 5.2.2, and 4.0.4 contain a fix. As a workaround, do not attempt to parse patches that contain any of these characters: `\\r`, `\\u2028`, or `\\u2029`.", "A flaw was found in jsdiff. A specially crafted patch input containing specific line break characters can cause the parsePatch method to enter an infinite loop, leading to uncontrolled memory consumption and a process crash, resulting in a denial of service. The applyPatch method is similarly affected when called with a string representation of a patch as an argument. Additionally, a related vulnerability allows a Regular Expression Denial of Service (ReDoS) when these characters are present in a patch filename header, significantly increasing parsing time."], "mitigation": {"lang": "en:us", "value": "To mitigate this flaw, applications parsing user-supplied patch data should implement input validation to detect and reject input containing line break characters, such as \\r, \\u2028, or \\u2029 before passing the input to the parsePatch and the applyPatch methods, preventing the library from entering an infinite loop and consuming excessive memory."}, "name": "CVE-2026-24001", "package_state": [{"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Affected", "package_name": "nodejs-diff", "product_name": "Red Hat Satellite 6"}], "public_date": "2026-01-22T02:23:44Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-24001\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-24001\nhttps://github.com/kpdecker/jsdiff/commit/15a1585230748c8ae6f8274c202e0c87309142f5\nhttps://github.com/kpdecker/jsdiff/issues/653\nhttps://github.com/kpdecker/jsdiff/pull/649\nhttps://github.com/kpdecker/jsdiff/security/advisories/GHSA-73rr-hh4g-fpgx"], "statement": "Applications using the parsePatch and the applyPatch methods to process patches provided by user input are vulnerable to this issue. Specifically, specially crafted patch input with line break characters such as \\r, \\u2028, or \\u2029 can cause an infinite loop, excessive resource consumption and application crashes. This issue can occur even with small payloads or when users control filename headers, allowing a remote attacker to cause a denial of service. Due to this reason, this vulnerability has been rated with an important severity.", "threat_severity": "Important"}

{"analysis": {"en": {"generated_at": "2026-04-18T15:27:56.043225+00:00", "value": {"mitigation_remediation": ["Upgrade jsdiff to the latest release (at least v8.0.3 for the 8.x series, v5.2.2 for the 5.x series, v4.0.4 for the 4.x series, or v3.5.1 for the 3.x series)", "Avoid parsing patches that contain carriage return, Unicode line separator U+2028, or U+2029 characters in any header", "Validate and sanitize filenames and patch headers before passing them to parsePatch or applyPatch"], "summary": {"action": "Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "The security issue exists in kpdecker\u2019s jsdiff library in all releases prior to version 8.0.3, 5.2.2, 4.0.4, and 3.5.1. Those specific releases are vulnerable if parsePatch or applyPatch is invoked with a user-controlled patch. Updated releases (8.0.3 and later, 5.2.2 and later, 4.0.4 and later, or 3.5.1 and later) contain the fix and are not affected.", "description_and_impact": "jsdiff\u2019s parsePatch and applyPatch methods can enter an infinite loop when a patch\u2019s filename headers contain carriage return or Unicode line separator characters, consuming unlimited memory until the node.js process terminates. The same flaw also exists in applyPatch when a string patch is parsed. An additional, less intense regular-expression denial of service (ReDOS) can trigger with large patch headers that include these characters, causing parsePatch to execute in cubic time. The vulnerability allows an attacker to cause a targeted application that uses jsdiff to crash or become unresponsive by supplying a specially crafted patch; a large payload is not required, and typical size limits do not mitigate it.", "risk_and_exploitability": "The CVSS score is 2.7, indicating low to moderate severity, and the EPSS score is below 1%, suggesting a very low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog. The attack vector is likely to be an application that accepts user-supplied patches or filenames; by providing a patch containing forbidden line break characters, an attacker can trigger the denial of service. The impact is limited to the process hosting jsdiff, with no direct escalation of privileges or data breach evident from the CVE description."}}}}, "created": "2026-01-22T10:07:57.455393+00:00", "updated": "2026-04-18T15:30:03.968172+00:00", "vendors": ["kpdecker", "kpdecker$PRODUCT$jsdiff"]}