Affected versions of `jquery` interpret `text/javascript` responses from cross-origin ajax requests, and automatically execute the contents in `jQuery.globalEval`, even when the ajax request doesn't contain the `dataType` option.

## Recommendation

Update to version 3.0.0 or later.

Affected Packages

npm jquery

Affected versions: 0 (fixed in 1.12.2)

NuGet jQuery

Affected versions: 0 (fixed in 1.12.2)

NuGet jQuery

Affected versions: 1.12.3 (fixed in 3.0.0)

npm jquery

Affected versions: 1.12.3 (fixed in 3.0.0)

RubyGems jquery-rails

Affected versions: 0 (fixed in 4.2.0)

Maven org.webjars.npm:jquery

Affected versions: 0 (fixed in 1.12.2)

Maven org.webjars.npm:jquery

Affected versions: 1.12.3 (fixed in 3.0.0)

Related CVEs

CVE-2015-9251

Key Information

GHSA ID

GHSA-rmxg-73gg-4p98

Published

January 22, 2018 1:32 PM

Last Modified

September 17, 2021 6:58 PM

CVSS Score

5.0 /10

Primary Ecosystem

npm

Primary Package

jquery

GitHub Reviewed

✓ Yes

Dataset

Last updated: September 30, 2025 6:30 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.