Home

Description

Versions of the package jsondiffpatch before 0.7.2 are vulnerable to Cross-site Scripting (XSS) via HtmlFormatter::nodeBegin. An attacker can inject malicious scripts into HTML payloads that may lead to code execution if untrusted payloads were used as source for the diff, and the result renderer using the built-in html formatter on a private website.

PUBLISHED Reserved 2025-09-03 | Published 2025-09-11 | Updated 2025-09-11 | Assigner snyk




LOW: 2.3CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P
MEDIUM: 4.7CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N/E:P

Problem types

Cross-site Scripting (XSS)

Product status

Any version before 0.7.2
affected

Any version before *
affected

Any version before *
affected

Credits

zendive

References

security.snyk.io/vuln/SNYK-JS-JSONDIFFPATCH-10369031

security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-12549276

security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-12549277

github.com/...ommit/0e374b5dd8d7879b329a9fc18affbd46ad50dd14

github.com/benjamine/jsondiffpatch/issues/383

benjamine.github.io/jsondiffpatch/index.html

cve.org (CVE-2025-9910)

nvd.nist.gov (CVE-2025-9910)

Download JSON