Description
Affected versions of jquery are vulnerable to cross-site scripting. This occurs because the main jquery function uses a regular expression to differentiate between HTML and selectors, but does not properly anchor the regular expression.
Recommendation
Update the jquery package to the latest compatible version. Followings are version details:
- Affected version(s): <= 1.8.3
- Patched version(s): 1.9.0
References
- GHSA-2pqj-h3vj-pqgw
- bugs.jquery.com
- help.ecostruxureit.com
- lists.apache.org
- snyk.io
- lists.opensuse.org
- packetstormsecurity.com
- security.snyk.io
- research.insecurelabs.org
- web.archive.org
- CVE-2012-6708
- CWE-64
- CWE-79
- CAPEC-310
- OWASP 2021-A3
- OWASP 2021-A6
Related Issues
- Denial of Service in jquery - CVE-2016-10707
- Prototype Pollution in lodash (GHSA-4xc9-xhrj-v574) - CVE-2018-16487
- jquery-validation vulnerable to Cross-site Scripting - CVE-2025-3573
- @mozilla/readability Denial of Service through Regex - CVE-2025-2792
- Tags:
- npm
- jquery
Anything's wrong? Let us know Last updated on July 10, 2023