Attacks on old jQuery libraries observed

The US IT security authority CISA is currently warning of attacks on servers. Attackers are targeting outdated jQuery installations that make servers vulnerable. jQuery is used to easily manipulate websites with JavaScript, for example to create animations or change elements on the page.

The vulnerability on which CISA has observed attacks is a cross-site scripting vulnerability in jQuery. HTML with "<option>" elements from untrusted sources can lead to the execution of untrusted code when passed through one of jQuery's DOM manipulation methods, even if filtering has previously taken place, according to the vulnerability description (CVE-2020-11023, CVSS 6.9, risk"medium").

Old vulnerability abused

Affected by this vulnerability are jQuery versions from 1.0.3 to before 3.5.0, the version closes the vulnerability. It was released in April 2020. jQuery 3.7.1 is currently available at –, but the ravages of time are already taking their toll on this version too, which dates back to August 2023.

CISA does not explain how the attacks take place. The authority is also silent on the extent and specific consequences. There are also no indicators of compromise (IOCs).

Therefore, IT managers can only check whether and which version of jQuery is installed on their own servers and update them if they are vulnerable. All relevant Linux distributions already come with updated packages, but here too it can't hurt to check that they are up to date.

jQuery version 3.5.0 from 2020 had closed a potential security vulnerability, which was the XSS vulnerability now under attack. This may have required the adaptation of custom code, as the change means that jQuery uses a regular expression (regex) in the jQuery.htmlPrefilter method. Anyone who has not applied the update due to code that no longer works should take action now at the latest.

(dmk)