jsondiffpatch is vulnerable to Cross-site Scripting (XSS) via HtmlFormatter::nodeBegin
- Severity:
- Medium
Description
Versions of jsondiffpatch prior to 0.7.2 are vulnerable to Cross-site Scripting (XSS) in the HtmlFormatter (HtmlFormatter::nodeBegin). When diffs are rendered to HTML using the built-in formatter, untrusted payloads can inject scripts and execute in the context of a consuming web page.
Affected versions: >= 0, < 0.7.
Recommendation
Update the jsondiffpatch package to the latest compatible version. Followings are version details:
- Affected version(s): < 0.7.2
- Patched version(s): 0.7.2
References
- GHSA-33vc-wfww-vjfv
- benjamine.github.io
- security.snyk.io
- CVE-2025-9910
- CWE-79
- CAPEC-310
- OWASP 2021-A3
- OWASP 2021-A6
Related Issues
- Vega Cross-Site Scripting (XSS) via event filter when not using CSP mode expressionInterpeter - CVE-2025-26619
- Vega vulnerable to Cross-site Scripting via RegExp.prototype[@@replace] (GHSA-963h-3v39-3pqf) - CVE-2025-27793
- Vega vulnerable to Cross-site Scripting via RegExp.prototype[@@replace] - CVE-2025-27793
- Parse Server has a Cross-Site Scripting (XSS) vulnerability via Unescaped Mustache Template Variables - CVE-2025-68115
- Tags:
- npm
- jsondiffpatch
Anything's wrong? Let us know Last updated on September 22, 2025