CVE-2015-9251
Cross-Origin Script Execution vulnerability in jquery

Cross-Origin Script Execution Proof of concept

What is CVE-2015-9251 About?

This vulnerability in `jquery` allows for Cross-Origin Script Execution due to improper handling of `text/javascript` responses from cross-origin AJAX requests. It can lead to arbitrary code execution within the user's browser context. Exploitation is straightforward, requiring a malicious server to respond with script content to a `jquery` AJAX request.

Affected Software

  • jquery
    • >1.12.3, <3.0.0
    • <1.12.2
  • jQuery
    • >1.12.3, <3.0.0
    • <1.12.2
  • jquery-rails
    • <4.2.0
  • org.webjars.npm:jquery
    • >1.12.3, <3.0.0
    • <1.12.2

Technical Details

The vulnerability in affected versions of the `jquery` library stems from its handling of AJAX responses. Specifically, `jquery` incorrectly interprets cross-origin AJAX responses with the `Content-Type` header set to `text/javascript`. Even when the AJAX request doesn't explicitly specify the `dataType` option, `jquery` automatically executes the contents of such responses using `jQuery.globalEval`. This allows an attacker to host a malicious script on a different domain, and if a user's browser makes a cross-origin AJAX request to this malicious domain, `jquery` will execute the attacker's script within the context of the originating domain, leading to Cross-Site Scripting (XSS).

What is the Impact of CVE-2015-9251?

Successful exploitation may allow attackers to execute arbitrary scripts in the context of the user's browser, leading to session hijacking, data theft, defacement, or redirection to malicious sites.

What is the Exploitability of CVE-2015-9251?

Exploitation of this vulnerability is relatively easy, requiring an attacker to control a server that can respond to cross-origin AJAX requests with malicious JavaScript code. There are no authentication or specific privilege requirements on the target client. The attack is remote, as it relies on the user's browser making an AJAX request to an attacker-controlled domain. The primary prerequisite is that an application uses an affected version of `jquery` and makes cross-origin AJAX requests. This vulnerability is particularly risky if web applications allow users to include third-party content or make requests to external, untrusted APIs, increasing the likelihood of an attacker intercepting or influencing such requests.

What are the Known Public Exploits?

PoC Author Link Commentary
halkichi0308 Link PoC for CVE-2015-9251
hackgiver Link This repository contains a Proof of Concept (PoC) for CVE-2015-9251, a vulnerability in jQuery versions prior to 3.0.0 that allows attackers to perform Cross-Site Scripting (XSS) attacks under...
moften Link PoC para CVE-2015-9251 jQuery menor a 3.0.0.

What are the Available Fixes for CVE-2015-9251?

Available Upgrade Options

  • org.webjars.npm:jquery
    • <1.12.2 → Upgrade to 1.12.2
  • org.webjars.npm:jquery
    • >1.12.3, <3.0.0 → Upgrade to 3.0.0
  • jquery-rails
    • <4.2.0 → Upgrade to 4.2.0
  • jquery
    • <1.12.2 → Upgrade to 1.12.2
  • jquery
    • >1.12.3, <3.0.0 → Upgrade to 3.0.0
  • jQuery
    • <1.12.2 → Upgrade to 1.12.2
  • jQuery
    • >1.12.3, <3.0.0 → Upgrade to 3.0.0

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2015-9251?

Similar Vulnerabilities: CVE-2015-0209 , CVE-2012-6708 , CVE-2014-6057 , CVE-2017-1000008 , CVE-2017-8280

All Rights reserved 2025
Privacy Policy