jsdiff Denial-of-Service Vulnerability in parsePatch and applyPatch Methods

A denial-of-service vulnerability has been identified in the jsdiff library, specifically in versions 6.0.0 prior to 8.0.3, 5.0.0 prior to 5.2.2, and all versions prior to 4.0.4. The issue arises when the parsePatch method processes a patch with filename headers containing certain line break characters. This can cause the method to enter an infinite loop, leading to uncontrolled memory consumption and eventually crashing the process. The vulnerability can be exploited with relatively small payloads, and applications may also be at risk if they can manipulate filename headers, even with patches generated by the application itself.

Impact

Exploitation of this vulnerability causes an infinite loop in the parsePatch method, leading to excessive memory usage and a crash due to out-of-memory conditions. The applyPatch method is also affected when it processes a string representation of a patch, as it relies on parsePatch for parsing.

Reproduction

To reproduce this vulnerability, use a version of jsdiff that is affected and call the parsePatch method with a patch that includes filename headers containing the line break characters ' ', '
', or '
'. This will trigger the infinite loop and memory exhaustion. Alternatively, the applyPatch method can be used in the same manner, but only if the patch is provided as a string, which will invoke parsePatch under the hood.

Remediation

Users can upgrade to jsdiff versions 8.0.3, 5.2.2, or 4.0.4, where this vulnerability has been fixed. If an immediate upgrade is not possible, as a temporary workaround, avoid parsing patches that contain the aforementioned line break characters.