Vulnerability Description
Versions of the package jsondiffpatch before 0.7.2 are vulnerable to Cross-site Scripting (XSS) via HtmlFormatter::nodeBegin. An attacker can inject malicious scripts into HTML payloads that may lead to code execution if untrusted payloads were used as source for the diff, and the result renderer using the built-in html formatter on a private website.
CVSS Score
MEDIUM
Related Weaknesses (CWE)
References
- https://benjamine.github.io/jsondiffpatch/index.html
- https://github.com/benjamine/jsondiffpatch/commit/0e374b5dd8d7879b329a9fc18affbd
- https://github.com/benjamine/jsondiffpatch/issues/383
- https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-12549277
- https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-12549276
- https://security.snyk.io/vuln/SNYK-JS-JSONDIFFPATCH-10369031
FAQ
What is CVE-2025-9910?
CVE-2025-9910 is a vulnerability with a CVSS score of 4.7 (MEDIUM). Versions of the package jsondiffpatch before 0.7.2 are vulnerable to Cross-site Scripting (XSS) via HtmlFormatter::nodeBegin. An attacker can inject malicious scripts into HTML payloads that may lead ...
How severe is CVE-2025-9910?
CVE-2025-9910 has been rated MEDIUM with a CVSS base score of 4.7/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-9910?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.