⚠ Exploited in the wild
Exploitation observed in the wild. Not yet on CISA KEV.

CVE-2019-11358

CWE-1321Prototype PollutionCWE-79Cross-site Scripting (XSS)48 documents13 sources
Severity
6.1MEDIUM
EPSS
1.9%
top 16.98%
CISA KEV
Not in KEV
Exploit
Exploited in wild
Active exploitation observed
Affected products
107
Backdropcms BackdropDrupal DrupalJquery Jquery+104 more
Timeline
PublishedApr 20
Latest updateJul 8

Description

jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages111 packages

NuGetjQuery1.1.43.4.0
npmjquery1.1.43.4.0
RubyGemsjquery-rails< 4.3.4
NVDjquery/jquery< 3.4.0
Mavenorg.webjars.npm:jquery1.1.43.4.0

Also affects: Debian Linux 10.0, 8.0, 9.0, Fedora 28, 29, 30

Patches

Patch: seclists.orgPatch: seclists.orgPatch: www.openwall.com

🔴Vulnerability Details

9
OSV
jquery vulnerabilities2025-07-08
GHSA
eZ Platform Bundled jQuery affected by CVE-2019-113582024-05-15
OSV
eZ Platform Bundled jQuery affected by CVE-2019-113582024-05-15
OSV
XSS in jQuery as used in Drupal, Backdrop CMS, and other products2019-04-26
GHSA
XSS in jQuery as used in Drupal, Backdrop CMS, and other products2019-04-26

💥Exploits & PoCs

1
Exploit-DB
jQuery 3.3.1 - Prototype Pollution & XSS Exploit2025-04-08

📋Vendor Advisories

13
Ubuntu
jQuery vulnerabilities2025-07-08
Oracle
Oracle Oracle Hyperion Risk Matrix: Hyperion Planning (jQuery) — CVE-2019-113582021-10-15
Oracle
Oracle Oracle Fusion Middleware Risk Matrix: UI Platform (jQuery) — CVE-2019-113582021-07-15
Oracle
Oracle Oracle Siebel CRM Risk Matrix: UIF Open UI (jQuery) — CVE-2019-113582021-04-15
Oracle
Oracle Oracle Insurance Applications Risk Matrix: Framework Administrator IBFA (jQuery) — CVE-2019-113582021-01-15

💬Community

24
Bugzilla
CVE-2019-11358 atomic-openshift-web-console: js-jquery: Web console vulnerable to CVE-2019-11358 (moderate d impact) [openshift-enterprise-3.11.z]2020-01-29
Bugzilla
CVE-2019-11358 python-XStatic-jQuery: jquery: Prototype pollution in object's prototype leading to denial of service, remote code execution, or property injection [openstack-rdo]2019-07-11
Bugzilla
CVE-2019-11358 python-XStatic-jquery-ui: js-jquery: prototype pollution in object's prototype leading to denial of service or remote code execution or property injection [openstack-rdo]2019-07-11
Bugzilla
extension workshop is using a vulnerable version of jQuery2019-05-06
Bugzilla
CVE-2019-11358 drupal7: js-jquery: prototype pollution in object's prototype leading to denial of service or remote code execution or property injection [epel-all]2019-04-24