SB2025112114 - Cross-site scripting in jsondiffpatch
Published: November 21, 2025
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 vulnerability.
1) Cross-site scripting (CVE-ID: CVE-2025-9910)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and inject malicious scripts into HTML payloads that may lead to code execution if untrusted payloads were used as source for the diff, and the result renderer using the built-in html formatter on a private website.
Remediation
Install update from vendor's website.
References
- https://benjamine.github.io/jsondiffpatch/index.html
- https://github.com/benjamine/jsondiffpatch/commit/0e374b5dd8d7879b329a9fc18affbd46ad50dd14
- https://github.com/benjamine/jsondiffpatch/issues/383
- https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-12549277
- https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-12549276
- https://security.snyk.io/vuln/SNYK-JS-JSONDIFFPATCH-10369031