diff-8.0.0.tgz: 1 vulnerabilities (highest severity is: 5.3) #11171
Description
Vulnerable Library - diff-8.0.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /home/wss-scanner/.yarn/berry/cache/diff-npm-8.0.2-8e9bd0086d-10c0.zip
Found in HEAD commit: da0c9c84fdbc82b3b8e2221482a86225136e26be
Vulnerabilities
| Vulnerability | Severity |  CVSS |
Dependency | Type | Fixed in (diff version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| CVE-2026-24001 |  Medium |
5.3 | diff-8.0.2.tgz | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2026-24001
Vulnerable Library - diff-8.0.2.tgz
A JavaScript text diff implementation.
Library home page: https://registry.npmjs.org/diff/-/diff-8.0.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /home/wss-scanner/.yarn/berry/cache/diff-npm-8.0.2-8e9bd0086d-10c0.zip
Dependency Hierarchy:
- diff-8.0.0.tgz (Root Library)
- ❌ diff-8.0.2.tgz (Vulnerable Library)
Found in HEAD commit: da0c9c84fdbc82b3b8e2221482a86225136e26be
Found in base branch: main
Vulnerability Details
jsdiff is a JavaScript text differencing implementation. Prior to versions 8.0.3, 5.2.2, and 4.0.4, attempting to parse a patch whose filename headers contain the line break characters "\r", "\u2028", or "\u2029" can cause the "parsePatch" method to enter an infinite loop. It then consumes memory without limit until the process crashes due to running out of memory. Applications are therefore likely to be vulnerable to a denial-of-service attack if they call "parsePatch" with a user-provided patch as input. A large payload is not needed to trigger the vulnerability, so size limits on user input do not provide any protection. Furthermore, some applications may be vulnerable even when calling "parsePatch" on a patch generated by the application itself if the user is nonetheless able to control the filename headers (e.g. by directly providing the filenames of the files to be diffed). The "applyPatch" method is similarly affected if (and only if) called with a string representation of a patch as an argument, since under the hood it parses that string using "parsePatch". Other methods of the library are unaffected. Finally, a second and lesser interdependent bug - a ReDOS - also exhibits when those same line break characters are present in a patch's patch header (also known as its "leading garbage"). A maliciously-crafted patch header of length n can take "parsePatch" O(n³) time to parse. Versions 8.0.3, 5.2.2, and 4.0.4 contain a fix. As a workaround, do not attempt to parse patches that contain any of these characters: "\r", "\u2028", or "\u2029".
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2026-01-22
URL: CVE-2026-24001
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Release Date: 2026-01-22
Fix Resolution: https://github.com/kpdecker/jsdiff.git - v4.0.4,https://github.com/kpdecker/jsdiff.git - v5.2.2,https://github.com/kpdecker/jsdiff.git - v8.0.3
Step up your Open Source Security Game with Mend here