CVE-2025-9910 is a Cross-site Scripting (XSS) vulnerability identified in the jsondiffpatch package, specifically affecting versions prior to 0.7.2. Jsondiffpatch is a JavaScript library used to compute the difference between JSON objects and render these differences in various formats, including HTML. The vulnerability arises in the HtmlFormatter::nodeBegin function, which is responsible for generating HTML output from JSON diffs. If untrusted or malicious JSON payloads are used as the source for the diff operation, an attacker can inject malicious scripts into the resulting HTML output. This can lead to the execution of arbitrary JavaScript code in the context of the user viewing the diff output, potentially compromising the confidentiality and integrity of the affected web application. The vulnerability is exploitable remotely without requiring authentication but does require user interaction to trigger the malicious script execution, such as viewing the crafted diff output on a private website. The CVSS 4.0 base score is 2.3, indicating a low severity primarily due to limited impact and the requirement for user interaction. No known exploits are currently reported in the wild. The vulnerability is relevant for applications that use jsondiffpatch to render JSON diffs in HTML format, especially in environments where untrusted input might be diffed and displayed without proper sanitization or escaping.

For European organizations, the impact of this vulnerability depends on the extent to which jsondiffpatch is used within their web applications or internal tools for JSON diff rendering. Organizations that utilize jsondiffpatch in private or internal web portals to display JSON differences could be at risk of XSS attacks if untrusted data sources are diffed and rendered without proper input validation. Successful exploitation could lead to session hijacking, unauthorized actions performed on behalf of users, or theft of sensitive information accessible through the web application. While the vulnerability is rated low severity, it could be leveraged as part of a multi-stage attack chain, especially in sectors handling sensitive data such as finance, healthcare, or government services. The requirement for user interaction and the absence of known active exploits reduce the immediate risk, but the vulnerability still poses a threat to confidentiality and integrity if left unmitigated.

European organizations should upgrade jsondiffpatch to version 0.7.2 or later, where this vulnerability is fixed. If immediate upgrade is not feasible, implement strict input validation and sanitization on all JSON data before performing diff operations and rendering HTML output. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in the web application context. Additionally, avoid rendering diffs of untrusted or user-supplied JSON data in HTML format or use alternative rendering methods that do not involve HTML output. Conduct thorough code reviews and security testing focusing on XSS vectors in any custom usage of jsondiffpatch. Monitoring web application logs for unusual script injection attempts and educating developers about secure handling of JSON diff rendering can further reduce risk.