Outdated jQuery Library Allows Malicious Scripts to Run on Your Site

Vulnerability Explanation

In jQuery versions >= 1.0.3 and < 3.5.0, the `htmlPrefilter` method uses a regular expression to process HTML strings before DOM insertion. This regex can be bypassed when the input contains `<option>` elements or self-closing tags. Even if the HTML string has been sanitized by an external library before being passed to jQuery DOM manipulation methods (`.html()`, `.append()`, `.prepend()`, `.before()`, `.after()`, `.replaceWith()`), the flawed prefilter can still allow script execution. An attacker who can influence the HTML string passed to these methods — for example, via a user-supplied value reflected into a jQuery call — can inject and execute arbitrary JavaScript in the victim's browser.

Root Cause

The `jQuery.htmlPrefilter()` method applied a regex transformation (`/<(?!area|br|col|embed|hr|img|input|link|meta|param)(([\w:]+)[^>]*)\/>` → `<$1></$2>`) intended to normalize self-closing tags. This transformation could be abused to convert sanitized, inert HTML into executable script content. The fix in 3.5.0 removed this normalization entirely, making the prefilter a no-op and delegating safe parsing to the browser's native HTML parser.

Technical Impact

An attacker can execute arbitrary JavaScript in the context of the victim's browser session. This enables session hijacking (cookie theft), credential harvesting, page defacement, redirection to phishing sites, and keylogging. The scope is changed (S:C in CVSS), meaning the attacker's script runs in the context of the vulnerable origin, not just the injected content.

Severity Justification

CVSS 3.1 base score 6.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N). Network-exploitable with low complexity and no privileges required, but requires user interaction. Exploitability is high in practice — PoCs are public, the vulnerability is in CISA's Known Exploited Vulnerabilities catalog, and jQuery's ubiquity makes it a high-value target.

Affected Components

• jQuery >= 1.0.3 and < 3.5.0

Remediation Steps

1. Upgrade jQuery to version 3.5.0 or later. This is the definitive fix. Run: `npm install jquery@latest` or `yarn upgrade jquery` and update any CDN `<script>` tags accordingly.
2. Review the jQuery 3.5 upgrade guide (https://jquery.com/upgrade-guide/3.5/) for any breaking changes — the `htmlPrefilter` normalization behavior was removed, which may affect apps relying on self-closing non-void tags.
3. If an immediate upgrade is blocked (e.g., by a framework dependency), apply DOMPurify with the `SAFE_FOR_JQUERY` option as a temporary mitigation before passing any HTML to jQuery DOM methods.
4. Search your codebase for calls to `.html()`, `.append()`, `.prepend()`, `.before()`, `.after()`, and `.replaceWith()` that accept user-supplied or externally sourced strings, and ensure those inputs are sanitized.
5. After deploying the upgrade, verify the new version is live and no legacy copies remain (check CDN includes, bundled assets, and vendor-provided scripts).

Verification Steps

1. In browser DevTools, run `jQuery.fn.jquery` in the console — confirm the output is '3.5.0' or higher.
2. Run `npm list jquery` or `yarn list --pattern jquery` to check for any nested/transitive dependencies still pinned to a vulnerable version.
3. Use Retire.js (https://retirejs.github.io/retire.js/) or run `npx retire` in your project root to scan for known vulnerable library versions.
4. Check your CDN `<script>` tags in HTML templates to ensure no hardcoded references to jQuery < 3.5.0 remain.

Code Examples (javascript)

// jQuery 3.3.1 — vulnerable: sanitized HTML can still execute
const userHtml = sanitize(userInput); // external sanitizer
$('#container').html(userHtml);       // htmlPrefilter bypass possible

// Option 1: Upgrade to jQuery 3.5.0+
// package.json: "jquery": "^3.7.1"

// Option 2: Temporary mitigation with DOMPurify (SAFE_FOR_JQUERY mode)
import DOMPurify from 'dompurify';
const clean = DOMPurify.sanitize(userInput, { SAFE_FOR_JQUERY: true });
$('#container').html(clean);

Best Practices

• Avoid passing externally sourced or user-influenced HTML strings directly to jQuery DOM manipulation methods; prefer `text()` for plain text content.
• Pin dependencies to specific versions in production and use a lockfile (`package-lock.json` / `yarn.lock`) to prevent silent upgrades or downgrades.
• Integrate a software composition analysis (SCA) tool (e.g., `npm audit`, Snyk, or OWASP Dependency-Check) into your CI/CD pipeline to catch vulnerable library versions before deployment.
• Pair library hygiene with a Content Security Policy (CSP) as a defence-in-depth measure to limit the impact of any XSS that does occur.

References

• nvd.nist.gov/vuln/detail/CVE-2020-11023
• blog.jquery.com/2020/04/10/jquery-3-5-0-released/
• jquery.com/upgrade-guide/3.5/
• github.com/advisories/GHSA-jpcq-cgw6-v4j6
• security.snyk.io/vuln/SNYK-JS-JQUERY-565129
• www.cisa.gov/known-exploited-vulnerabilities-catalog