CVE-2025-9910
BaseFortify
Publication date: 2025-09-11
Last updated on: 2025-09-11
Assigner: Snyk
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| org.webjars.npm | jsondiffpatch | 0 |
| benjamine | jsondiffpatch | 0.7.2 |
| org.webjars.bower | jsondiffpatch | 0 |
| benjamine | jsondiffpatch | 0.6.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-9910 is a Cross-site Scripting (XSS) vulnerability in the jsondiffpatch package versions before 0.7.2, specifically in the HtmlFormatter::nodeBegin function. This vulnerability occurs because the function outputs unsanitized user-controlled input directly into HTML, allowing an attacker to inject malicious scripts into HTML payloads. If untrusted payloads are used as the source for JSON diffs and the built-in HTML formatter renders the result, these scripts can execute in the context of the user's browser on private websites. This can lead to execution of arbitrary code via injection of script tags due to improper sanitization or encoding of HTML content generated by the formatter. [1, 5]
How can this vulnerability impact me? :
This vulnerability can allow attackers to execute malicious scripts in the context of a trusted website, potentially leading to cookie theft, session hijacking, exposure of sensitive information, unauthorized access to privileged functions, and delivery of malware. The XSS attack can be exploited through stored, reflected, DOM-based, or mutated methods. The impact is primarily on confidentiality and integrity, with no impact on availability. Attackers can exploit this vulnerability remotely over the network without privileges but may require partial user interaction. [3, 4, 5]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves analyzing whether your application uses the vulnerable versions of the jsondiffpatch package (prior to 0.7.2) and whether untrusted input is passed to the HtmlFormatter::nodeBegin function that renders HTML diffs. You can check your project's dependencies for jsondiffpatch versions below 0.7.2. Additionally, monitoring HTTP traffic or application logs for suspicious payloads containing script tags or unusual HTML content in JSON diff outputs may help detect exploitation attempts. There are no specific commands provided in the resources, but you can use package management commands such as 'npm list jsondiffpatch' or 'yarn list jsondiffpatch' to identify the installed version. Also, scanning your codebase for usage of HtmlFormatter and inspecting input sanitization practices is recommended. [1, 3, 5]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading the jsondiffpatch package to version 0.7.2 or later, where the vulnerability has been fixed by properly escaping HTML content in the HtmlFormatter. Additionally, sanitize and validate all user inputs, escape special characters (such as <, >, &, ", and '), enforce Content Security Policies (CSP) to restrict script execution, disable client-side scripts where possible, redirect invalid requests, and monitor for suspicious session activity. Applying these measures reduces the risk of XSS exploitation until the package is updated. [2, 3, 4, 5]