XSS Vulnerability in org.webjars.bower.jsondiffpatch via HtmlFormatter

Key Information Vulnerability Type Cross-site Scripting (XSS) Affected Packages and Versions org.webjars.bower.jsondiffpatch package, version [1.0] Severity CVSS Base Score: 2.3 Severity: LOW Vulnerability Description Overview: is a JSON diff & patch library. Affected versions are vulnerable to Cross-Site Scripting (XSS) attacks via script injection through the HtmlFormatter::nodeBegin method. If untrusted patches are used as source for diff operations, and the results are rendered using the built-in Html formatter on a private website, it may lead to code execution. Attack Types Stored XSS: Malicious code is stored within the application. Reflected XSS: Malicious links are directly reflected from the vulnerable site to the user’s browser. DOM-based XSS: Attackers force the user’s browser to render a malicious page. Mutated XSS: Attackers inject code that appears safe but is modified during parsing. Affected Environments Web servers Application servers Web application environments How to Fix A fix has been pushed to the master branch but not yet released. Best practices include: sanitizing all data inputs in HTTP requests, escaping special characters, disabling client-side scripts, limiting invalid requests, and detecting anomalous logins. CVSS Base Scores Version 4.0: 2.3 LOW Version 3.1: 2.3 LOW Additional Information Published: 10 Sept 2025 Disclosed: 4 Mar 2025 Credit: zenide

Goal Reached Thanks to every supporter — we hit 100%!

XSS Vulnerability in org.webjars.bower.jsondiffpatch via HtmlFormatter