CVE-2020-11022
Untrusted Code Execution vulnerability in jquery

Untrusted Code Execution High confidence exploit Fixable By Resolved Security

What is CVE-2020-11022 About?

This jQuery vulnerability allows untrusted code execution when passing HTML from untrusted sources to DOM manipulation methods, even after sanitization. The impact is the execution of arbitrary client-side code, enabling various web-based attacks. Exploitation is easy, requiring an attacker to inject specially crafted HTML.

Affected Software

  • jquery
    • >1.2.0, <3.5.0
    • >1.2.0, <3.5.0
  • jquery-rails
    • <4.4.0
  • org.webjars.npm:jquery
    • >1.2.0, <3.5.0
  • maximebf/debugbar
    • <1.19.0
  • athlon1600/youtube-downloader
    • <=4.0.0
  • components/jquery
    • >1.2.0, <3.5.0

Technical Details

The vulnerability in jQuery versions prior to 3.5.0 lies in its DOM manipulation methods (e.g., `.html()`, `.append()`). When HTML from untrusted sources is passed to these methods, jQuery may execute untrusted code even if sanitation has been applied. Specifically, jQuery's `htmlPrefilter` function, intended for preparing HTML strings, can be bypassed or insufficiently mitigate certain injection vectors. This allows an attacker to inject malicious HTML fragments or script that will execute in the context of the user's browser, leading to Cross-Site Scripting (XSS).

What is the Impact of CVE-2020-11022?

Successful exploitation may allow attackers to execute arbitrary client-side script code, perform cross-site scripting attacks, steal sensitive session information, deface web pages, or redirect users to malicious sites.

What is the Exploitability of CVE-2020-11022?

Exploitation of this vulnerability requires an attacker to inject or supply untrusted HTML content to an application that utilizes vulnerable jQuery versions and displays user-generated content. The complexity is low, as it primarily involves bypassing existing, insufficient sanitization. No specific authentication or privilege is typically required, as the attack is client-side. It is a remote vulnerability, typically delivered via a web application. The exploitability increases significantly in web applications that do not strictly validate and sanitize all HTML inputs before rendering them on the client side, particularly when using jQuery's DOM manipulation functions.

What are the Known Public Exploits?

PoC Author Link Commentary
0xAJ2K Link Little thing put together quickly to demonstrate this CVE
Snorlyd Link Vulnearability Report of the New Jersey official site

What are the Available Fixes for CVE-2020-11022?

A Fix by Resolved Security Exists!

About the Fix from Resolved Security

The patch removes the htmlPrefilter regex, which previously converted self-closing XHTML-style tags (e.g., <div/>) into explicitly closed tags (e.g., <div></div>), and now returns HTML as-is. This change fixes CVE-2020-11022 by preventing attackers from injecting malicious code through unexpected or unsafe tag transformations during HTML parsing, thus eliminating a class of cross-site scripting (XSS) vulnerabilities.

Available Upgrade Options

  • org.webjars.npm:jquery
    • >1.2.0, <3.5.0 → Upgrade to 3.5.0
  • jquery-rails
    • <4.4.0 → Upgrade to 4.4.0
  • maximebf/debugbar
    • <1.19.0 → Upgrade to 1.19.0
  • components/jquery
    • >1.2.0, <3.5.0 → Upgrade to 3.5.0
  • jquery
    • >1.2.0, <3.5.0 → Upgrade to 3.5.0

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2020-11022?

Similar Vulnerabilities: CVE-2020-11023 , CVE-2015-9251 , CVE-2012-6708 , CVE-2019-11358 , CVE-2016-10707

All Rights reserved 2025
Privacy Policy