jsdiff has a Denial of Service vulnerability in parsePatch and applyPatch

[sippsolutions]

Security Vulnerability: Denial of Service (DoS) in jsdiff

Vulnerability Overview

A vulnerability has been identified in jsdiff where certain line break characters can lead to an infinite loop and potential memory exhaustion.

Detail	Description
Package	diff (npm: jsdiff)
Affected Versions	< 8.0.3
Patched Version	8.0.3

---

Impact

The parsePatch method is vulnerable to an infinite loop when processing filename headers containing specific line break characters: \r, \u2028, or \u2029.

Key risks:

• Memory Exhaustion: The process will consume memory indefinitely until it crashes (Out of Memory).
• Denial of Service (DoS): Attackers can trigger this with a very small payload; size limits on user input do not provide protection.
• Affected Methods: Both parsePatch and applyPatch (when used with string inputs) are affected.
• Secondary Issue: A lesser ReDOS (Regular Expression Denial of Service) exists in the patch header parsing, which can lead to $O(n^3)$ time complexity.

---

Patches

✅ All identified vulnerabilities have been fixed in v8.0.3.

Users are strongly encouraged to upgrade as soon as possible:

npm install diff@8.0.3

See: kpdecker/jsdiff#649

[ExplodingCabbage]

As the maintainer of jsdiff, I characterised the vulnerability as "low" severity in my advisory about it. Why are you characterising it here as "critical"? Has some other source I'm unaware of labelled it as having "critical" severity or is that your characterisation?

(In any case, a quick search of the BackstopJS repo suggests to me that it never calls parsePatch nor applyPatch, so is probably completely unaffected.)

[sippsolutions]

I just copied Dependabot's alert in our project into Gemini to create this Issue, seems AI thinks it's critical /mybad