jsdiff has a Denial of Service vulnerability in parsePatch and applyPatch
- Severity:
- Low
Description
Attempting to parse a patch whose filename headers contain the line break characters \r, \u2028, or \u2029 can cause the parsePatch method to enter an infinite loop. It then consumes memory without limit until the process crashes due to running out of memory.
Recommendation
Update the diff package to the latest compatible version. Followings are version details:
Affected version(s): **< 3.5.1 >= 4.0.0, < 4.0.4 >= 5.0.0, < 5.2.2 >= 6.0.0, < 8.0.3** Patched version(s): **3.5.1 4.0.4 5.2.2 8.0.3**
References
Related Issues
- vue-template-compiler vulnerable to client-side Cross-Site Scripting (XSS) - CVE-2024-6783
- Volto affected by possible DoS by invoking specific URL by anonymous user - CVE-2025-58047
- Elliptic's ECDSA missing check for whether leading bit of r and s is zero - CVE-2024-42460
- Regular Expression Denial of Service (ReDoS) - Vulnerability
- Tags:
- npm
- diff
Anything's wrong? Let us know Last updated on January 30, 2026