Denial of Service in jquery

Severity:: High

Description

Affected versions of jquery use a lowercasing logic on attribute names. When given a boolean attribute with a name that contains uppercase characters, jquery enters into an infinite recursion loop, exceeding the call stack limit, and resulting in a denial of service condition.

Recommendation

Update the jquery package to the latest compatible version. Followings are version details:

Affected version(s): = 3.0.0-rc.1
Patched version(s): 3.0.0

References

GHSA-mhpp-875w-9cpv
www.npmjs.com
snyk.io
CVE-2016-10707
CWE-400
CWE-674
CAPEC-310
OWASP 2021-A6

Related Issues

Code Injection in node-rules - CVE-2020-7609
Potential XSS vulnerability in jQuery - CVE-2020-11023
Command Injection in lodash - CVE-2021-23337
gifplayer XSS vulnerability - CVE-2025-31128

Tags:: npm; jquery

Anything's wrong? Let us know Last updated on September 02, 2025