Summary
@flydotio/dockerfile depends on diff (jsdiff), which has a denial-of-service vulnerability (GHSA-73rr-hh4g-fpgx, CVE-2026-24001).
Vulnerability Details
- Affected methods:
parsePatch and applyPatch
- Impact: Infinite loop and unbounded memory consumption when patch filenames contain
\r, \u2028, or \u2029 characters. A large payload is not needed to trigger the vulnerability.
- CVSS: 2.7 (Low)
- Patched versions:
diff@8.0.3, 5.2.2, 4.0.4
Current state
@flydotio/dockerfile@>=0.7.5 depends on a vulnerable version of diff (6.0.0–8.0.2). Upgrading diff to >=8.0.3 would resolve the issue.
References
Summary
@flydotio/dockerfiledepends ondiff(jsdiff), which has a denial-of-service vulnerability (GHSA-73rr-hh4g-fpgx, CVE-2026-24001).Vulnerability Details
parsePatchandapplyPatch\r,\u2028, or\u2029characters. A large payload is not needed to trigger the vulnerability.diff@8.0.3,5.2.2,4.0.4Current state
@flydotio/dockerfile@>=0.7.5depends on a vulnerable version ofdiff(6.0.0–8.0.2). Upgradingdiffto>=8.0.3would resolve the issue.References