CVE-2026-24001: jsdiff has a Denial of Service vulnerability in parsePatch and applyPatch
jsdiff is a JavaScript text differencing implementation. Prior to versions 8.0.3, 5.2.2, 4.0.4, and 3.5.1, attempting to parse a patch whose filename headers contain the line break characters `\r`, `\u2028`, or `\u2029` can cause the `parsePatch` method to enter an infinite loop. It then consumes memory without limit until the process crashes due to running out of memory. Applications are therefore likely to be vulnerable to a denial-of-service attack if they call `parsePatch` with a user-provided patch as input. A large payload is not needed to trigger the vulnerability, so size limits on user input do not provide any protection. Furthermore, some applications may be vulnerable even when calling `parsePatch` on a patch generated by the application itself if the user is nonetheless able to control the filename headers (e.g. by directly providing the filenames of the files to be diffed). The `applyPatch` method is similarly affected if (and only if) called with a string representation of a patch as an argument, since under the hood it parses that string using `parsePatch`. Other methods of the library are unaffected. Finally, a second and lesser interdependent bug - a ReDOS - also exhibits when those same line break characters are present in a patch's *patch* header (also known as its "leading garbage"). A maliciously-crafted patch header of length *n* can take `parsePatch` O(*n*³) time to parse. Versions 8.0.3, 5.2.2, 4.0.4, and 3.5.1 contain a fix. As a workaround, do not attempt to parse patches that contain any of these characters: `\r`, `\u2028`, or `\u2029`.
Security readout for executives and security teams
Plain-English summary
CVE-2026-24001 lets a small, specially formed patch make jsdiff consume memory until the process crashes. The main business risk is service outage in applications that accept or generate patches with user-controlled filenames. Fixed releases are available for supported version lines.
Executive priority
Prioritize remediation for internet-facing or multi-tenant services that process diffs or patches. The likely impact is availability loss, not data theft, but the low complexity and small input requirement make prompt patching appropriate.
Technical view
jsdiff parsePatch can enter an infinite loop when patch filename headers contain carriage return, U+2028, or U+2029. applyPatch is affected only when passed a string patch because it invokes parsePatch internally. A related ReDoS in patch headers can cause O(n^3) parsing time. Other jsdiff methods are reported unaffected.
Likely exposure
Exposure is most likely in Node.js or JavaScript services that use jsdiff to parse user-provided patches, process uploaded diffs, review code changes, or call applyPatch with string input. Apps may also be exposed when they generate patches themselves but allow users to control filenames.
Exploitation context
The source bundle does not show active exploitation, and KEV is false. The vulnerability is network-relevant when a reachable application parses attacker-controlled patch content. A large payload is not required, so simple request-size limits are not a reliable control.
Researcher notes
Affected ranges are >=6.0.0 <8.0.3, >=5.0.0 <5.2.2, >=4.0.0 <4.0.4, and <3.5.1. The advisory narrows impact to parsePatch and applyPatch with string patch input. Evidence is sufficient for vulnerability mechanics but not for exploitation in the wild.
Mitigation direction
Upgrade jsdiff to 8.0.3, 5.2.2, 4.0.4, or 3.5.1 as applicable.
Reject patch inputs containing carriage return, U+2028, or U+2029 until upgraded.
Avoid passing user-controlled patch strings to parsePatch or applyPatch.
Do not rely on input size limits as the primary protection.
Check downstream vendor guidance for packaged or transitive jsdiff usage.
Validation and detection
Inventory direct and transitive jsdiff versions in application dependency manifests and lockfiles.
Review code for parsePatch calls handling uploaded or user-controlled patch content.
Review applyPatch calls that pass string representations of patches.
Check whether user-controlled filenames can appear in generated patch headers.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · low confidence lookup
CWE-1333: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-1333 · source CWE mapping
Inefficient Regular Expression Complexity
Inefficient Regular Expression Complexity represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.
Uncontrolled Resource Consumption represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.