Source: node-diff Version: 5.0.0~dfsg+~5.0.1-4 Severity: important Tags: security upstream Forwarded: https://github.com/kpdecker/jsdiff/issues/653 X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for node-diff. CVE-2026-24001[0]: | jsdiff is a JavaScript text differencing implementation. Prior to | versions 8.0.3, 5.2.2, and 4.0.4, attempting to parse a patch whose | filename headers contain the line break characters `\r`, `\u2028`, | or `\u2029` can cause the `parsePatch` method to enter an infinite | loop. It then consumes memory without limit until the process | crashes due to running out of memory. Applications are therefore | likely to be vulnerable to a denial-of-service attack if they call | `parsePatch` with a user-provided patch as input. A large payload is | not needed to trigger the vulnerability, so size limits on user | input do not provide any protection. Furthermore, some applications | may be vulnerable even when calling `parsePatch` on a patch | generated by the application itself if the user is nonetheless able | to control the filename headers (e.g. by directly providing the | filenames of the files to be diffed). The `applyPatch` method is | similarly affected if (and only if) called with a string | representation of a patch as an argument, since under the hood it | parses that string using `parsePatch`. Other methods of the library | are unaffected. Finally, a second and lesser interdependent bug - a | ReDOS - also exhibits when those same line break characters are | present in a patch's *patch* header (also known as its "leading | garbage"). A maliciously-crafted patch header of length *n* can take | `parsePatch` O(*n*³) time to parse. Versions 8.0.3, 5.2.2, and 4.0.4 | contain a fix. As a workaround, do not attempt to parse patches that | contain any of these characters: `\r`, `\u2028`, or `\u2029`. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-24001 https://www.cve.org/CVERecord?id=CVE-2026-24001 [1] https://github.com/kpdecker/jsdiff/issues/653 [2] https://github.com/kpdecker/jsdiff/security/advisories/GHSA-73rr-hh4g-fpgx [3] https://github.com/kpdecker/jsdiff/pull/649 Please adjust the affected versions in the BTS as needed. Regards, Salvatore -- Pkg-javascript-devel mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
