Sign In

CVE-2025-9910

ADVISORY - github

Summary

Vulnerability in jsondiffpatch

Versions of jsondiffpatch prior to 0.7.2 are vulnerable to Cross-site Scripting (XSS) in the HtmlFormatter (HtmlFormatter::nodeBegin). When diffs are rendered to HTML using the built-in formatter, untrusted payloads can inject scripts and execute in the context of a consuming web page.

Affected versions: >= 0, < 0.7.2 Patched version: 0.7.2

Remediation Upgrade to jsondiffpatch 0.7.2 or later. The fix hardens the HTML formatter to avoid script injection.

Workarounds Avoid using the HTML formatter on untrusted diffs, or sanitize/escape the rendered output.

EPSS Score: 0.00043 (0.131)

Common Weakness Enumeration (CWE)

ADVISORY - nist

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

ADVISORY - github

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

ADVISORY - gitlab

CWE-1035

OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-937

OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities

Impacted images

Advisories
Sign in to Docker Scout

See which of your images are affected by this CVE and how to fix them by signing into Docker Scout.

Sign in