jsondiffpatch, Cross-site Scripting (XSS), CVE-2025-42425 (Low)

Listen to this Post

The vulnerability CVE-2025-42425 exists within the `HtmlFormatter::nodeBegin` method of the jsondiffpatch library. This function is responsible for generating the initial HTML tags for nodes in the visualized JSON diff output. The method improperly treats user-supplied data from the JSON objects being compared, failing to sanitize it for HTML context. When the diff is performed on a malicious JSON object containing crafted HTML sequences, such as <script>alert(1)</script>, this input is directly interpolated into the HTML output string without escaping. Consequently, the browser interprets the injected script tags as executable code rather than inert text. This allows an attacker to execute arbitrary JavaScript in the context of the victim’s browser session if they can control one of the JSON inputs and the resulting diff is rendered using the vulnerable HtmlFormatter.
Platform: Node.js
Version: <0.7.2
Vulnerability: XSS
Severity: Low

date: 2025-09-11

Prediction: Patch: 2025-09-15

What Undercode Say:

`npm audit`

`jsondiffpatch.format.html`

`const delta = jsondiffpatch.diff(obj1, obj2);`

`const html = jsondiffpatch.formatters.html.format(delta, obj1);`

`element.innerHTML = html;`

How Exploit:

`{“malicious”: “

“}`

Protection from this CVE

Update to version 0.7.2. Sanitize all untrusted JSON input. Avoid using innerHTML.

Impact:

Arbitrary JavaScript execution. Session hijacking.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top