CVE-2025-9910 Overview
CVE-2025-9910 is a Cross-Site Scripting (XSS) vulnerability [CWE-79] affecting versions of the jsondiffpatch package prior to 0.7.2. The flaw resides in the HtmlFormatter::nodeBegin method of the built-in HTML formatter. An attacker who controls a JSON payload used as input to the diff operation can inject malicious script content. When the resulting diff is rendered with the HTML formatter on a private website, the injected script may execute in the victim's browser context.
Critical Impact
Untrusted JSON inputs rendered through the jsondiffpatch HTML formatter can execute attacker-controlled JavaScript, potentially leading to session compromise or client-side code execution on internal tools that consume the diff output.
Affected Products
- jsondiffpatch npm package versions prior to 0.7.2
- jsondiffpatch WebJars (npm) distribution prior to 0.7.2
- jsondiffpatch WebJars (Bower) distribution prior to 0.7.2
Discovery Timeline
- 2025-09-11 - CVE-2025-9910 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-9910
Vulnerability Analysis
The jsondiffpatch library computes structural differences between JSON documents and provides formatters to render those differences. The built-in HtmlFormatter class produces HTML markup that visualizes the delta. Prior to version 0.7.2, the formatter concatenated raw values into HTML strings without escaping. Any string embedded in the source or target JSON that contained HTML control characters was written verbatim into the rendered output. When a browser parsed that output, attacker-supplied <script> tags or event-handler attributes executed in the page origin.
Exploitation requires that untrusted JSON reach the diff routine and that the HTML formatter render the result on a page the victim visits. Consumers typically embed the formatter in internal review dashboards, audit tools, and configuration diff viewers, which broadens the attack surface for stored XSS.
Root Cause
The root cause is missing output encoding in the HTML formatter. The typeFormattterErrorFormatter method and adjacent value-rendering paths used template literals to interpolate untrusted content directly into HTML strings. Without an HTML-escape step, characters such as <, >, and " retained their markup semantics when injected into the DOM.
Attack Vector
The attacker supplies a JSON value containing HTML or JavaScript markup as one side of the diff. When the application invokes the HTML formatter and inserts the returned string into the DOM, the payload activates. Delivery paths include user-submitted records, imported configuration files, or any upstream data source that feeds a diff view.
// Security patch in packages/jsondiffpatch/src/formatters/html.ts - fix: #383
class HtmlFormatter extends BaseFormatter<HtmlFormatterContext> {
typeFormattterErrorFormatter(context: HtmlFormatterContext, err: unknown) {
- // eslint-disable-next-line @typescript-eslint/restrict-template-expressions
- context.out(`<pre class="jsondiffpatch-error">${err}</pre>`);
+ const message =
+ typeof err === 'object' &&
+ err !== null &&
+ 'message' in err &&
+ typeof err.message === 'string'
+ ? err.message
+ : String(err);
+ context.out(
+ `<pre class="jsondiffpatch-error">${htmlEscape(message)}</pre>`,
+ );
}
formatValue(context: HtmlFormatterContext, value: unknown) {
Source: GitHub commit 0e374b5. The patch introduces an htmlEscape call before interpolating error content into the output buffer, neutralizing script markup.
Detection Methods for CVE-2025-9910
Indicators of Compromise
- JSON records containing <script>, onerror=, onload=, or javascript: substrings entering diff pipelines from untrusted sources.
- Rendered diff pages that emit unexpected outbound requests to attacker-controlled domains after loading.
- Browser console errors or Content Security Policy (CSP) violation reports originating from pages that embed jsondiffpatch output.
Detection Strategies
- Inventory application dependencies with npm ls jsondiffpatch and flag any version below 0.7.2.
- Perform static analysis on codebases for imports of HtmlFormatter or format from jsondiffpatch/formatters/html combined with untrusted inputs.
- Add regression tests that feed HTML-tagged JSON into diff endpoints and assert that the rendered output escapes markup.
Monitoring Recommendations
- Enable CSP report-only mode on pages that render diffs and monitor violations for inline script execution.
- Log and alert on diff render failures or error output, since the patched code path specifically handled error message escaping.
- Track dependency drift with Software Composition Analysis (SCA) tools to catch regressions to vulnerable versions.
How to Mitigate CVE-2025-9910
Immediate Actions Required
- Upgrade jsondiffpatch to version 0.7.2 or later across all Node.js, Bower, and WebJars deployments.
- Audit application code for direct use of the HTML formatter with untrusted input and add server-side sanitization as a defense-in-depth layer.
- Deploy a strict Content Security Policy that disallows inline scripts on pages that render diff output.
Patch Information
The fix is delivered in jsondiffpatch0.7.2. The relevant commit is 0e374b5, which applies htmlEscape to error content before rendering. Additional context is available in the upstream GitHub issue #383 and the Snyk advisory.
Workarounds
- Replace the built-in HTML formatter with a custom formatter that escapes all values before writing them to the output buffer.
- Sanitize JSON inputs on ingress with an allowlist that strips HTML control characters when the diff output is rendered as HTML.
- Render diffs using the JSON or console formatters instead of the HTML formatter until upgrade is complete.
# Upgrade to the patched release
npm install jsondiffpatch@^0.7.2
# Verify installed version
npm ls jsondiffpatch
# Audit for known advisories
npm audit --production
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

