logo

Database

Reflected cross-site scripting (XSS) In jsondiffpatch

Description

jsondiffpatch is vulnerable to Cross-site Scripting (XSS) via HtmlFormatter::nodeBegin

Vulnerability in jsondiffpatch

Versions of jsondiffpatch prior to 0.7.2 are vulnerable to Cross-site Scripting (XSS) in the HtmlFormatter (HtmlFormatter::nodeBegin). When diffs are rendered to HTML using the built-in formatter, untrusted payloads can inject scripts and execute in the context of a consuming web page.

Affected versions: >= 0, < 0.7.2 Patched version: 0.7.2

Remediation Upgrade to jsondiffpatch 0.7.2 or later. The fix hardens the HTML formatter to avoid script injection.

Workarounds Avoid using the HTML formatter on untrusted diffs, or sanitize/escape the rendered output.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2025-99102. NVD-2025-99103. OSV-2025-99104. GCVE-2025-9910

References

1. https://github.com/benjamine/jsondiffpatch/issues/3832. https://github.com/benjamine/jsondiffpatch/commit/0e374b5dd8d7879b329a9fc18affbd46ad50dd143. https://benjamine.github.io/jsondiffpatch/index.html

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.