jsdiff has a Denial of Service vulnerability in parsePatch and applyPatch
- Severity:
- Low
Description
Attempting to parse a patch whose filename headers contain the line break characters \r, \u2028, or \u2029 can cause the parsePatch method to enter an infinite loop. It then consumes memory without limit until the process crashes due to running out of memory.
Recommendation
Update the diff package to the latest compatible version. Followings are version details:
Affected version(s): **< 3.5.1 >= 4.0.0, < 4.0.4 >= 5.0.0, < 5.2.2 >= 6.0.0, < 8.0.3** Patched version(s): **3.5.1 4.0.4 5.2.2 8.0.3**
References
Related Issues
- tarteaucitron.js has Regular Expression Denial of Service (ReDoS) vulnerability - CVE-2026-22809
- Serialize JavaScript has CPU Exhaustion Denial of Service via crafted array-like objects - CVE-2026-34043
- Parse Server has Denial of Service (DoS) and Cloud Function Dispatch Bypass via Prototype Chain Resolution - CVE-2026-30939
- Forge has Denial of Service via Infinite Loop in BigInteger.modInverse() with Zero Input - CVE-2026-33891
- Tags:
- npm
- diff
Anything's wrong? Let us know Last updated on January 30, 2026