Priority from VULN: Medium
This is a copy of the linked VULN ticket issue. You only need to update this ticket and the VULN ticket will be synced accordingly.

Vulnerability Details

The following vulnerabilities were found in the third party component pkg:npm/jsondiffpatch@0.5.0 used in the repo: https://github.com/mongodb-js/compass:

You are responsible for fixing it by and ensuring the fix is released, if required, by the relevant Due Date.

• A new release is required if the finding is on a stable branch that customers may be using. Stable branches refer to any branch excluding main or master, for products that do not trigger releases directly from main or master branches.

Affected Platforms: _ubuntu, _macos-arm, _rhel, _macos, _windows

How do I fix this?
You need to update the package to a version that does not contain the vulnerability. Please reference the Fixed Version(s) column above for options. If there are multiple CVEs, updating to the latest fixed version that addresses all CVEs is recommended.

If the Fixed Version(s) column says Unknown for a CVE, that just means the scanner that was used to find vulnerabilities doesn't have the fix version information. Please visit the link to the CVE page, to find the fix version. If you are having trouble finding the fixed version, please reach out in the #secure-sdlc-program Slack channel for help.

If you are still unable to find a fixed version or need additional assistance, please reach out in the #secure-sdlc-program channel.

References:

• https://nvd.nist.gov/vuln/detail/CVE-2025-9910
• https://github.com/benjamine/jsondiffpatch/issues/383
• https://github.com/benjamine/jsondiffpatch/commit/0e374b5dd8d7879b329a9fc18affbd46ad50dd14
• https://benjamine.github.io/jsondiffpatch/index.html
• https://github.com/benjamine/jsondiffpatch
• https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-12549277
• https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-12549276
• https://security.snyk.io/vuln/SNYK-JS-JSONDIFFPATCH-10369031

Tool Description: ### Vulnerability in jsondiffpatch

Versions of `jsondiffpatch` prior to `0.7.2` are vulnerable to Cross-site Scripting (XSS) in the `HtmlFormatter` (`HtmlFormatter::nodeBegin`). When diffs are rendered to HTML using the built-in formatter, untrusted payloads can inject scripts and execute in the context of a consuming web page.

*Affected versions:* >= 0, < 0.7.2
*Patched version:* 0.7.2

*Remediation*
Upgrade to `jsondiffpatch` `0.7.2` or later. The fix hardens the HTML formatter to avoid script injection.

*Workarounds*
Avoid using the HTML formatter on untrusted diffs, or sanitize/escape the rendered output.

🔥 Please see go/vuln-flow for detailed guidance.