CVE-2025-9910: 
JavaScript vulnerability analysis and mitigation

Versions of the package jsondiffpatch before 0.7.2 are vulnerable to Cross-site Scripting (XSS) via HtmlFormatter::nodeBegin. The vulnerability was discovered on March 3, 2025, and publicly disclosed on September 11, 2025. The affected packages include jsondiffpatch, org.webjars.npm:jsondiffpatch, and org.webjars.bower:jsondiffpatch (Snyk Advisory).

The vulnerability exists in the HtmlFormatter::nodeBegin component where malicious scripts can be injected into HTML payloads. The issue stems from improper sanitization of input data when rendering HTML output. The vulnerability has been assigned a CVSS v4.0 base score of 1.3 (Low) with vector string CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N and CVSS v3.1 base score of 4.7 (Medium) with vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N (NVD).

An attacker can inject malicious scripts into HTML payloads that may lead to code execution if untrusted payloads were used as source for the diff, and the result renderer using the built-in html formatter on a private website. The vulnerability could potentially allow attackers to execute arbitrary JavaScript code in the context of the affected web application (Snyk Advisory).

Users should upgrade jsondiffpatch to version 0.7.2 or higher, which contains the fix for this vulnerability. A fix has been implemented in the master branch through commit 0e374b5dd8d7879b329a9fc18affbd46ad50dd14 that properly escapes HTML content (GitHub Commit).