Affected versions of `jquery` are vulnerable to cross-site scripting. This occurs because the main `jquery` function uses a regular expression to differentiate between HTML and selectors, but does not properly anchor the regular expression. The result is that `jquery` may interpret HTML as selectors when given certain inputs, allowing for client side code execution.

## Proof of Concept
```
$("#log").html(
$("element[attribute='<img src=\"x\" onerror=\"alert(1)\" />']").html()
);
```

## Recommendation

Update to version 1.9.0 or later.

Affected Packages

npm jquery

Affected versions: 0 (fixed in 1.9.0)

Maven org.webjars.npm:jquery

Affected versions: 0 (fixed in 1.9.0)

NuGet jQuery

Affected versions: 0 (fixed in 1.9.0)

RubyGems jquery-rails

Affected versions: 0 (fixed in 2.2.0)

Related CVEs

CVE-2012-6708

Key Information

GHSA ID

GHSA-2pqj-h3vj-pqgw

Published

September 1, 2020 4:41 PM

Last Modified

June 26, 2023 5:03 PM

CVSS Score

5.0 /10

Primary Ecosystem

npm

Primary Package

jquery

GitHub Reviewed

✓ Yes

Dataset

Last updated: September 30, 2025 6:30 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.