jsondiffpatch Cross-Site Scripting Vulnerability in Annotated Formatter

A cross-site scripting (XSS) vulnerability has been identified in the jsondiffpatch package, specifically in versions prior to 0.7.6. The issue arises in the annotated formatter, where improper sanitization of JSON values and property names allows for the injection of attacker-controlled HTML. When applications compare untrusted JSON data and render the annotated formatter output in the DOM, this can be exploited to execute malicious scripts in the user's browser.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where injected scripts are executed in the context of the user's browser, potentially leading to session hijacking or other malicious actions.

Reproduction

The vulnerability can be reproduced by comparing two JSON objects using jsondiffpatch's diffing functionality. The first object should contain unescaped HTML, such as an image tag with an event handler, while the second object includes a property name that also contains unescaped HTML. After computing the difference, the annotated formatter output is rendered using 'innerHTML', which interprets the injected HTML and executes the embedded scripts.

Remediation

Users are advised to upgrade jsondiffpatch to version 0.7.6 or higher.