CVE-2025-9910

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2025-9910

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-9910.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2025-9910

Aliases

GHSA-33vc-wfww-vjfv

Downstream

MINI-5vcf-2p87-rmx8

MINI-9rjc-989r-c698

MINI-f3cj-33w9-qff9

MINI-hc79-xgh8-j74q

MINI-p985-j29q-xwm6

MINI-rr7h-4j8f-r9xf

Related

CGA-q6w8-87c5-j7jq

Published

2025-09-11T05:15:34Z

Modified

2025-09-12T21:57:19.248178Z

Summary

[none]

Details

Versions of the package jsondiffpatch before 0.7.2 are vulnerable to Cross-site Scripting (XSS) via HtmlFormatter::nodeBegin. An attacker can inject malicious scripts into HTML payloads that may lead to code execution if untrusted payloads were used as source for the diff, and the result renderer using the built-in html formatter on a private website.

References

Affected packages

Git / github.com/benjamine/jsondiffpatch

Affected ranges

Type: GIT
Repo: https://github.com/benjamine/jsondiffpatch
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

0e374b5dd8d7879b329a9fc18affbd46ad50dd14

Affected versions

v0.*

v0.0.10

v0.0.11

v0.0.2

v0.0.3

v0.0.5

v0.0.6

v0.0.7

v0.0.8

v0.1.0

v0.1.1

v0.1.2

v0.1.3

v0.1.35

v0.1.4

v0.1.42

v0.1.5

v0.1.6

v0.1.7

v0.1.8

v0.3.10

v0.3.11

v0.3.6

v0.3.7

v0.3.8

v0.3.9

v0.4.0

v0.4.1

v0.5.0

v0.6.0