DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-24001: Diffing Dangerously: Infinite Loops and ReDoS in jsdiff

#security #cve #cybersecurity

Diffing Dangerously: Infinite Loops and ReDoS in jsdiff

Vulnerability ID: CVE-2026-24001
CVSS Score: 2.7
Published: 2026-01-22

A critical Denial of Service vulnerability in the popular jsdiff library allows attackers to crash applications by supplying a patch file with specific Unicode line terminators. This triggers an infinite memory-leaking loop or a ReDOS condition.

TL;DR

The jsdiff library, used by millions of Node.js applications to compare text, contains a flaw in how it parses patch headers. By injecting obscure Unicode line separators (like \u2028) into a filename header, an attacker can cause the parser to enter an infinite loop. This leads to 100% CPU usage and eventual memory exhaustion, crashing the host process. Patched in versions 8.0.3, 5.2.2, and 4.0.4.

⚠️ Exploit Status: POC

Technical Details

  • CWE: CWE-400 (Uncontrolled Resource Consumption)
  • Attack Vector: Network
  • CVSS: 2.7 (Low)
  • Bug Class: Infinite Loop / Logic Error
  • Affected Component: parsePatch function
  • Exploit Complexity: Low

Affected Systems

  • Node.js applications using jsdiff
  • Code review tools
  • Git web interfaces
  • CI/CD pipelines processing patch files
  • Test frameworks using diff for assertions
  • jsdiff: >= 6.0.0, < 8.0.3 (Fixed in: 8.0.3)
  • jsdiff: >= 5.0.0, < 5.2.2 (Fixed in: 5.2.2)
  • jsdiff: < 4.0.4 (Fixed in: 4.0.4)

Code Analysis

Commit: 15a1585

Fixed parsePatch infinite loop and ReDoS

Diff too large to display inline; involves replacing regex with substring parsing.
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • Internal Analysis: The commit diff reveals the exact mechanism of the bypass and fix.

Mitigation Strategies

  • Update jsdiff to the latest patched version.
  • Sanitize input to remove unicode line separators (\u2028, \u2029) before processing.
  • Implement timeouts for patch processing operations to prevent thread blocking.

Remediation Steps:

  1. Identify dependency tree usage of jsdiff using npm ls diff or yarn why diff.
  2. Update package.json to require diff versions ^4.0.4, ^5.2.2, or ^8.0.3.
  3. Run npm update or yarn upgrade.
  4. Verify the installed version ensures the fix is present.

References

Read the full report for CVE-2026-24001 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)