CVE-2025-9910: jsondiffpatch is vulnerable to Cross-site Scripting (XSS) via HtmlFormatter::nodeBegin
(updated )
Vulnerability in jsondiffpatch
Versions of jsondiffpatch prior to 0.7.2 are vulnerable to Cross-site Scripting (XSS) in the HtmlFormatter (HtmlFormatter::nodeBegin). When diffs are rendered to HTML using the built-in formatter, untrusted payloads can inject scripts and execute in the context of a consuming web page.
Affected versions: >= 0, < 0.7.2 Patched version: 0.7.2
Remediation
Upgrade to jsondiffpatch 0.7.2 or later. The fix hardens the HTML formatter to avoid script injection.
Workarounds Avoid using the HTML formatter on untrusted diffs, or sanitize/escape the rendered output.
References
- benjamine.github.io/jsondiffpatch/index.html
- github.com/advisories/GHSA-33vc-wfww-vjfv
- github.com/benjamine/jsondiffpatch
- github.com/benjamine/jsondiffpatch/commit/0e374b5dd8d7879b329a9fc18affbd46ad50dd14
- github.com/benjamine/jsondiffpatch/issues/383
- nvd.nist.gov/vuln/detail/CVE-2025-9910
- security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-12549277
- security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-12549276
- security.snyk.io/vuln/SNYK-JS-JSONDIFFPATCH-10369031
Code Behaviors & Features
Detect and mitigate CVE-2025-9910 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →