Diffing Dangerously: Infinite Loops and ReDoS in jsdiff
Jan 14, 2026·6 min read·9 visits
Executive Summary (TL;DR)
The `jsdiff` library (< 8.1.0) fails to handle Unicode line separators correctly in its patch parser. A crafted patch file containing characters like `\u2028` in a filename can trap the parser in an infinite loop, causing memory exhaustion. Additionally, a ReDoS flaw exists in how patch headers are processed. Upgrading to 8.1.0 fixes this by replacing complex regexes with string manipulation.
A critical Denial of Service vulnerability in the popular `jsdiff` library. By exploiting JavaScript's quirk regarding regex dot-matching and line separators, attackers can trigger an infinite loop or catastrophic backtracking (ReDoS), effectively freezing Node.js applications that parse patches.
Official Patches
Fix Analysis (1)
Technical Appendix
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HAffected Systems
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
jsdiff kpdecker | < 8.1.0 | 8.1.0 |
| Attribute | Detail |
|---|---|
| Vulnerability Type | Denial of Service (DoS) |
| Weaknesses | CWE-1333 (ReDoS), CWE-835 (Infinite Loop) |
| CVSS Estimate | 7.5 (High) |
| Attack Vector | Network (Input-based) |
| Affected Component | src/patch/parse.ts (parsePatch) |
| Patch Commit | 15a1585230748c8ae6f8274c202e0c87309142f5 |
MITRE ATT&CK Mapping
Inefficient Regular Expression Complexity and Loop with Unreachable Exit Condition