CVE-2026-24001

EPSS 0.02%
Veröffentlicht 22.01.2026 02:23:44
Zuletzt bearbeitet 04.03.2026 15:23:41
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

jsdiff is a JavaScript text differencing implementation. Prior to versions 8.0.3, 5.2.2, 4.0.4, and 3.5.1, attempting to parse a patch whose filename headers contain the line break characters `\r`, `\u2028`, or `\u2029` can cause the `parsePatch` method to enter an infinite loop. It then consumes memory without limit until the process crashes due to running out of memory. Applications are therefore likely to be vulnerable to a denial-of-service attack if they call `parsePatch` with a user-provided patch as input. A large payload is not needed to trigger the vulnerability, so size limits on user input do not provide any protection. Furthermore, some applications may be vulnerable even when calling `parsePatch` on a patch generated by the application itself if the user is nonetheless able to control the filename headers (e.g. by directly providing the filenames of the files to be diffed). The `applyPatch` method is similarly affected if (and only if) called with a string representation of a patch as an argument, since under the hood it parses that string using `parsePatch`. Other methods of the library are unaffected. Finally, a second and lesser interdependent bug - a ReDOS - also exhibits when those same line break characters are present in a patch's *patch* header (also known as its "leading garbage"). A maliciously-crafted patch header of length *n* can take `parsePatch` O(*n*³) time to parse. Versions 8.0.3, 5.2.2, 4.0.4, and 3.5.1 contain a fix. As a workaround, do not attempt to parse patches that contain any of these characters: `\r`, `\u2028`, or `\u2029`.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 2 Referenzen 7

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Kpdecker ≫ Jsdiff SwPlatformnode.js Version < 3.5.1

Kpdecker ≫ Jsdiff SwPlatformnode.js Version >= 4.0.0 < 4.0.4

Kpdecker ≫ Jsdiff SwPlatformnode.js Version >= 5.0.0 < 5.2.2

Kpdecker ≫ Jsdiff SwPlatformnode.js Version >= 6.0.0 < 8.0.3

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.02%	0.047

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
security-advisories@github.com	2.7	0	0	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-1333 Inefficient Regular Expression Complexity

The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.

CWE-400 Uncontrolled Resource Consumption

The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

https://github.com/kpdecker/jsdiff/security/advisories/GHSA-73rr-hh4g-fpgx

Vendor Advisory

https://github.com/kpdecker/jsdiff/issues/653

Issue Tracking

https://github.com/kpdecker/jsdiff/pull/649

Patch

Issue Tracking

https://github.com/kpdecker/jsdiff/commit/15a1585230748c8ae6f8274c202e0c87309142f5

Patch

https://nvd.nist.gov/vuln/detail/CVE-2026-24001

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-24001

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-24001

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-24001