CVE-2026-24001 – This vulnerability in jsdiff library allows den... (How to Fix)

Q: What is the severity of CVE-2026-24001?

CVE-2026-24001 has a CVSS score of 7.5 (HIGH). This vulnerability in jsdiff library allows denial-of-service attacks through infinite loops and resource exhaustion when parsing patches containing specific line break characters. Applications using jsdiff's parsePatch or applyPatch methods with user-controlled input are affected. The vulnerability can crash processes by consuming unlimited memory.

📋 TL;DR

This vulnerability in jsdiff library allows denial-of-service attacks through infinite loops and resource exhaustion when parsing patches containing specific line break characters. Applications using jsdiff's parsePatch or applyPatch methods with user-controlled input are affected. The vulnerability can crash processes by consuming unlimited memory.

💻 Affected Systems

Products:

jsdiff JavaScript library

Versions: All versions before 8.0.3, 5.2.2, 4.0.4, and 3.5.1

Operating Systems: All platforms running JavaScript/Node.js

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects parsePatch and applyPatch methods when processing patches with \r, \u2028, or \u2029 characters in filename headers.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service outage through process crashes, potentially affecting multiple services if jsdiff is used in critical paths.

🟠

Likely Case

Denial-of-service causing application crashes and downtime when malicious patches are processed.

🟢

If Mitigated

Limited impact with proper input validation and patching, though some performance degradation may occur.

🌐 Internet-Facing: HIGH - User-provided patches can trigger the vulnerability remotely without authentication.

🏢 Internal Only: MEDIUM - Internal users could still cause service disruption if they can provide patch input.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires only small malicious patches, making it easy to weaponize. No authentication needed if user input reaches vulnerable methods.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 8.0.3, 5.2.2, 4.0.4, or 3.5.1

Vendor Advisory: https://github.com/kpdecker/jsdiff/security/advisories/GHSA-73rr-hh4g-fpgx

Restart Required: Yes

Instructions:

1. Update jsdiff to version 8.0.3, 5.2.2, 4.0.4, or 3.5.1 using npm update jsdiff. 2. Restart all applications using jsdiff. 3. Verify no regressions in patch parsing functionality.

🔧 Temporary Workarounds

Input validation filter

all

Filter out \r, \u2028, and \u2029 characters from patch inputs before processing

// JavaScript implementation:
function sanitizePatch(patch) {
  return patch.replace(/[\r\u2028\u2029]/g, '');
}
// Use: parsePatch(sanitizePatch(userInput));

🧯 If You Can't Patch

Implement strict input validation to reject patches containing \r, \u2028, or \u2029 characters
Isolate jsdiff processing in separate containers with memory limits to contain crashes

🔍 How to Verify

Check if Vulnerable:

Check package.json for jsdiff version. If version is below 8.0.3, 5.2.2, 4.0.4, or 3.5.1, you are vulnerable.

Check Version:

npm list jsdiff | grep jsdiff

Verify Fix Applied:

After updating, test parsePatch with patches containing \r, \u2028, or \u2029 characters - should process normally without infinite loops.

📡 Detection & Monitoring

Log Indicators:

Process crashes with out-of-memory errors
Unusually high memory consumption in jsdiff processes
Long-running parsePatch operations

Network Indicators:

Multiple patch submissions from single source
Small patch payloads causing service degradation

SIEM Query:

Process:memory_usage > 90% AND Process:name contains 'node' AND Event:description contains 'jsdiff' OR 'parsePatch'

📊 Metadata

CVE ID: CVE-2026-24001

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-400

EPSS Score: 0.06% exploit probability (17.3th percentile)

Published: January 22, 2026

Last Updated: March 4, 2026

🔗 References

https://github.com/kpdecker/jsdiff/commit/15a1585230748c8ae6f8274c202e0c87309142f5 Patch
https://github.com/kpdecker/jsdiff/issues/653 Issue Tracking
https://github.com/kpdecker/jsdiff/pull/649 Issue Tracking,Patch
https://github.com/kpdecker/jsdiff/security/advisories/GHSA-73rr-hh4g-fpgx Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-24001, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Jsdiff by Kpdecker

Jsdiff by Kpdecker

Jsdiff by Kpdecker

Jsdiff by Kpdecker

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Input validation filter

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities