Executive Summary

CVE-2025-9910 is a Cross-site Scripting (XSS) vulnerability in the jsondiffpatch package versions before 0.7.2, specifically in the HtmlFormatter::nodeBegin function. This vulnerability occurs because the function outputs unsanitized user-controlled input directly into HTML, allowing an attacker to inject malicious scripts into HTML payloads. If untrusted payloads are used as the source for JSON diffs and the built-in HTML formatter renders the result, these scripts can execute in the context of the user's browser on private websites. This can lead to execution of arbitrary code via injection of script tags due to improper sanitization or encoding of HTML content generated by the formatter. [1, 5]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow attackers to execute malicious scripts in the context of a trusted website, potentially leading to cookie theft, session hijacking, exposure of sensitive information, unauthorized access to privileged functions, and delivery of malware. The XSS attack can be exploited through stored, reflected, DOM-based, or mutated methods. The impact is primarily on confidentiality and integrity, with no impact on availability. Attackers can exploit this vulnerability remotely over the network without privileges but may require partial user interaction. [3, 4, 5]

Useful 0 Not Useful 0

Detection Guidance

Detection of this vulnerability involves analyzing whether your application uses the vulnerable versions of the jsondiffpatch package (prior to 0.7.2) and whether untrusted input is passed to the HtmlFormatter::nodeBegin function that renders HTML diffs. You can check your project's dependencies for jsondiffpatch versions below 0.7.2. Additionally, monitoring HTTP traffic or application logs for suspicious payloads containing script tags or unusual HTML content in JSON diff outputs may help detect exploitation attempts. There are no specific commands provided in the resources, but you can use package management commands such as 'npm list jsondiffpatch' or 'yarn list jsondiffpatch' to identify the installed version. Also, scanning your codebase for usage of HtmlFormatter and inspecting input sanitization practices is recommended. [1, 3, 5]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include upgrading the jsondiffpatch package to version 0.7.2 or later, where the vulnerability has been fixed by properly escaping HTML content in the HtmlFormatter. Additionally, sanitize and validate all user inputs, escape special characters (such as <, >, &, ", and '), enforce Content Security Policies (CSP) to restrict script execution, disable client-side scripts where possible, redirect invalid requests, and monitor for suspicious session activity. Applying these measures reduces the risk of XSS exploitation until the package is updated. [2, 3, 4, 5]

Useful 0 Not Useful 0