Medium severity4.7OSV Advisory· Published Sep 11, 2025· Updated Apr 15, 2026
CVE-2025-9910
CVE-2025-9910
Description
Versions of the package jsondiffpatch before 0.7.2 are vulnerable to Cross-site Scripting (XSS) via HtmlFormatter::nodeBegin. An attacker can inject malicious scripts into HTML payloads that may lead to code execution if untrusted payloads were used as source for the diff, and the result renderer using the built-in html formatter on a private website.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
jsondiffpatchnpm | < 0.7.2 | 0.7.2 |
Affected products
1- Range: v0.0.2, v0.0.3, v0.0.5, …
Patches
10e374b5dd8d7fix: #383
1 file changed · +15 −6
packages/jsondiffpatch/src/formatters/html.ts+15 −6 modified@@ -17,8 +17,16 @@ interface HtmlFormatterContext extends BaseFormatterContext { class HtmlFormatter extends BaseFormatter<HtmlFormatterContext> { typeFormattterErrorFormatter(context: HtmlFormatterContext, err: unknown) { - // eslint-disable-next-line @typescript-eslint/restrict-template-expressions - context.out(`<pre class="jsondiffpatch-error">${err}</pre>`); + const message = + typeof err === 'object' && + err !== null && + 'message' in err && + typeof err.message === 'string' + ? err.message + : String(err); + context.out( + `<pre class="jsondiffpatch-error">${htmlEscape(message)}</pre>`, + ); } formatValue(context: HtmlFormatterContext, value: unknown) { @@ -85,8 +93,8 @@ class HtmlFormatter extends BaseFormatter<HtmlFormatterContext> { nodeType ? ` jsondiffpatch-child-node-type-${nodeType}` : '' }`; context.out( - `<li class="${nodeClass}" data-key="${leftKey}">` + - `<div class="jsondiffpatch-property-name">${leftKey}</div>`, + `<li class="${nodeClass}" data-key="${htmlEscape(leftKey)}">` + + `<div class="jsondiffpatch-property-name">${htmlEscape(leftKey)}</div>`, ); } @@ -194,8 +202,9 @@ class HtmlFormatter extends BaseFormatter<HtmlFormatterContext> { } } -function htmlEscape(text: string) { - let html = text; +function htmlEscape(value: string | number) { + if (typeof value === 'number') return value; + let html = String(value); const replacements: [RegExp, string][] = [ [/&/g, '&'], [/</g, '<'],
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- github.com/advisories/GHSA-33vc-wfww-vjfvghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-9910ghsaADVISORY
- benjamine.github.io/jsondiffpatch/index.htmlnvdWEB
- github.com/benjamine/jsondiffpatch/commit/0e374b5dd8d7879b329a9fc18affbd46ad50dd14nvdWEB
- github.com/benjamine/jsondiffpatch/issues/383nvdWEB
- security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-12549277nvdWEB
- security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-12549276nvdWEB
- security.snyk.io/vuln/SNYK-JS-JSONDIFFPATCH-10369031nvdWEB
News mentions
0No linked articles in our index yet.