Vulnerable jsondiffpatch Version in Dependency Tree (XSS fixed in 0.7.2)

[kiranperaka]

A potential Cross-site Scripting (XSS) vulnerability has been reported in the jsondiffpatch library, which is indirectly used within the Angular-Meteor ecosystem.

Affected versions of jsondiffpatch contain an XSS vulnerability in HtmlFormatter::nodeBegin.
If untrusted payloads are used as input for diffing and the result is rendered with the built-in HTML formatter, malicious scripts may be injected into the generated HTML. This could lead to unintended script execution in environments where the output is displayed—such as internal dashboards or admin tools.

Severity information

Snyk: CVSS v4.0: 2.3 (Low), CVSS v3.1: 4.7 (Medium)