CVE-2026-24001
Unknown Unknown - Not Provided
Infinite Loop and ReDOS in jsdiff parsePatch Causing DoS

Publication date: 2026-01-22

Last updated on: 2026-03-04

Assigner: GitHub, Inc.

Description
jsdiff is a JavaScript text differencing implementation. Prior to versions 8.0.3, 5.2.2, and 4.0.4, attempting to parse a patch whose filename headers contain the line break characters `\r`, `\u2028`, or `\u2029` can cause the `parsePatch` method to enter an infinite loop. It then consumes memory without limit until the process crashes due to running out of memory. Applications are therefore likely to be vulnerable to a denial-of-service attack if they call `parsePatch` with a user-provided patch as input. A large payload is not needed to trigger the vulnerability, so size limits on user input do not provide any protection. Furthermore, some applications may be vulnerable even when calling `parsePatch` on a patch generated by the application itself if the user is nonetheless able to control the filename headers (e.g. by directly providing the filenames of the files to be diffed). The `applyPatch` method is similarly affected if (and only if) called with a string representation of a patch as an argument, since under the hood it parses that string using `parsePatch`. Other methods of the library are unaffected. Finally, a second and lesser interdependent bug - a ReDOS - also exhibits when those same line break characters are present in a patch's *patch* header (also known as its "leading garbage"). A maliciously-crafted patch header of length *n* can take `parsePatch` O(*n*Β³) time to parse. Versions 8.0.3, 5.2.2, and 4.0.4 contain a fix. As a workaround, do not attempt to parse patches that contain any of these characters: `\r`, `\u2028`, or `\u2029`.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-22
Last Modified
2026-03-04
Generated
2026-06-16
AI Q&A
2026-01-22
EPSS Evaluated
2026-06-15
NVD
CVE-2026-24001
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
kpdecker jsdiff to 3.5.1 (exc)
kpdecker jsdiff From 4.0.0 (inc) to 4.0.4 (exc)
kpdecker jsdiff From 5.0.0 (inc) to 5.2.2 (exc)
kpdecker jsdiff From 6.0.0 (inc) to 8.0.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
CWE-1333 The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-24001 is a denial-of-service (DoS) vulnerability in the jsdiff JavaScript library's parsePatch and applyPatch methods. When these methods parse patch files whose filename headers contain certain line break characters (carriage return \r, Unicode line separator \u2028, or paragraph separator \u2029), parsePatch can enter an infinite loop. This causes unbounded memory consumption, eventually crashing the process due to out-of-memory errors. Additionally, a related Regular Expression Denial of Service (ReDoS) vulnerability causes the parsing time to increase cubically with the length of a malicious patch header. These issues allow attackers to cause excessive CPU and memory usage, leading to DoS. The vulnerability affects versions prior to 8.0.3, 5.2.2, and 4.0.4, and has been fixed in those versions. The root cause involves inconsistent regex handling and flawed parsing logic around these special characters. [1, 2, 3]

Impact Analysis

This vulnerability can impact you by allowing an attacker to cause a denial-of-service condition in applications using the vulnerable versions of the jsdiff library. Specifically, if your application calls parsePatch or applyPatch with user-supplied patch data containing the problematic line break characters, the library may enter an infinite loop and consume unlimited memory, leading to a crash of the Node.js process. This can disrupt service availability and potentially cause downtime. The vulnerability can be triggered with relatively small inputs, so input size limits do not protect against it. Even applications generating patches internally may be vulnerable if users can influence filename headers. Therefore, the impact is primarily service unavailability due to resource exhaustion. [1, 2]

Detection Guidance

This vulnerability can be detected by monitoring for applications using vulnerable versions of the jsdiff library (versions >=4.0.0 and <4.0.4, >=5.0.0 and <5.2.2, and >=6.0.0 and <8.0.3) that parse patches containing the problematic line break characters \r, \u2028, or \u2029 in filename headers. Detection can involve checking logs or application inputs for patches containing these characters. Since the vulnerability causes infinite loops and high memory consumption, monitoring for unusually high CPU or memory usage in processes using jsdiff's parsePatch or applyPatch methods can also indicate exploitation attempts. Specific commands are not provided in the resources, but general approaches include searching patch inputs for these characters (e.g., using grep or similar tools) and monitoring process resource usage (e.g., using top, ps, or system monitoring tools). [1, 2]

Mitigation Strategies

Immediate mitigation steps include upgrading the jsdiff library to version 8.0.3 or later (or patched versions 5.2.2 and 4.0.4) where the vulnerability is fixed. As a workaround, avoid parsing patches that contain the line break characters \r, \u2028, or \u2029 in filename headers. Additionally, ensure that applications do not accept or process user-supplied patches with these characters. Monitoring and restricting inputs to the parsePatch and applyPatch methods can help prevent exploitation until the upgrade is applied. [1, 2, 3]

Compliance Impact

The provided resources do not contain information regarding the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-24001. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart