Advisories for Npm/Jsondiffpatch package

2025

jsondiffpatch is vulnerable to Cross-site Scripting (XSS) via HtmlFormatter::nodeBegin

Vulnerability in jsondiffpatch Versions of jsondiffpatch prior to 0.7.2 are vulnerable to Cross-site Scripting (XSS) in the HtmlFormatter (HtmlFormatter::nodeBegin). When diffs are rendered to HTML using the built-in formatter, untrusted payloads can inject scripts and execute in the context of a consuming web page. Affected versions: >= 0, < 0.7.2 Patched version: 0.7.2 Remediation Upgrade to jsondiffpatch 0.7.2 or later. The fix hardens the HTML formatter to avoid script injection. …