VYPR
← All advisories
Moderate severityNVD Advisory· Published May 4, 2022· Updated Aug 3, 2024

CVE-2022-30241

CVE-2022-30241

Description

The jquery.json-viewer library through 1.4.0 for Node.js does not properly escape characters such as < in a JSON object, as demonstrated by a SCRIPT element.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
jquery.json-viewernpm
< 1.5.01.5.0

Affected products

2

Patches

Vulnerability mechanics

Root cause

"Missing HTML escaping of JSON object keys allows stored cross-site scripting (XSS)."

Attack vector

An attacker who can control a JSON object that is rendered by the library can inject arbitrary HTML/JavaScript by placing a payload such as `&lt;script&gt;alert(1)&lt;/script&gt;` in either a string value or an object key. When the library renders the JSON, the unescaped characters are interpreted as markup, breaking out of the intended text context. The advisory demonstrates this with a `SCRIPT` element inside a JSON object, which would execute in the browser of any user viewing the rendered output.

Affected code

The vulnerability exists in `json-viewer/jquery.json-viewer.js`. The `htmlEscape` function was missing entirely before the patch, and the inline escaping logic (`.replace(/&/g, '&amp;')` etc.) was only applied to JSON string **values**, not to object **keys**. The `for (var key in json)` loop inserted the raw key directly into the HTML without any sanitization.

What the fix does

The patch introduces a reusable `htmlEscape` function that replaces `&`, `

Generated on May 23, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.