SCA: security update for diff (GHSA-73rr-hh4g-fpgx)

medium Tenable Self-Hosted Container Security Plugin ID 436765

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- jsdiff is a JavaScript text differencing implementation. Prior to versions 8.0.3, 5.2.2, 4.0.4, and 3.5.1,
attempting to parse a patch whose filename headers contain the line break characters `\r`, `\u2028`, or
`\u2029` can cause the `parsePatch` method to enter an infinite loop. It then consumes memory without
limit until the process crashes due to running out of memory. Applications are therefore likely to be
vulnerable to a denial-of-service attack if they call `parsePatch` with a user-provided patch as input. A
large payload is not needed to trigger the vulnerability, so size limits on user input do not provide any
protection. Furthermore, some applications may be vulnerable even when calling `parsePatch` on a patch
generated by the application itself if the user is nonetheless able to control the filename headers (e.g.
by directly providing the filenames of the files to be diffed). The `applyPatch` method is similarly
affected if (and only if) called with a string representation of a patch as an argument, since under the
hood it parses that string using `parsePatch`. Other methods of the library are unaffected. Finally, a
second and lesser interdependent bug - a ReDOS - also exhibits when those same line break characters are
present in a patch's *patch* header (also known as its "leading garbage"). A maliciously-crafted patch
header of length *n* can take `parsePatch` O(*n*³) time to parse. Versions 8.0.3, 5.2.2, 4.0.4, and 3.5.1
contain a fix. As a workaround, do not attempt to parse patches that contain any of these characters:
`\r`, `\u2028`, or `\u2029`. (CVE-2026-24001)

See Also

https://github.com/advisories/GHSA-73rr-hh4g-fpgx

Plugin Details

Severity: Medium

ID: 436765

Version: Revision 1.15

Type: Local

Family: SCA Checks

Published: 1/15/2026

Updated: 6/1/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.46

Vendor

Vendor Severity: Low

CVSS v2

Risk Factor: High

Base Score: 7.8

Temporal Score: 5.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C

CVSS Score Source: CVE-2026-24001

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS v4

Risk Factor: Medium

Base Score: 6.9

Threat Score: 2.7

Threat Vector: CVSS:4.0/E:U

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 1/14/2026

Vulnerability Publication Date: 1/14/2026

Reference Information

CVE: CVE-2026-24001