Miggo Logo

CVE-2019-5428: Duplicate Advisory: Prototype Pollution in jquery

N/A

CVSS Score

Basic Information

EPSS Score
-
CWE
-
Published
4/23/2019
Updated
9/25/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS metrics data is empty
Package NameEcosystemVulnerable VersionsFirst Patched Version
jquerynpm< 3.4.03.4.0
jquerynuget< 3.4.03.4.0
org.webjars.npm:jquerymaven< 3.4.03.4.0
jquery-railsrubygems< 3.4.03.4.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from jQuery's extend method when performing deep merges (first parameter true). The jQuery 3.4.0 release notes explicitly state they 'prevent Object.prototype pollution for $.extend(true, ...)' by blocking proto property copying. This matches the CVE description of prototype pollution via extend(). The function signature jQuery.extend matches runtime profiling patterns as it's a core jQuery API method. The evidence comes directly from the official patch notes describing the security fix in this specific function.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

## *upli**t* **visory T*is **visory is * *upli**t* o* [**S*-***j-***m-q**q](*ttps://*it*u*.*om/**visori*s/**S*-***j-***m-q**q). T*is link is m*int*in** to pr*s*rv* *xt*rn*l r***r*n**s. ## Ori*in*l **s*ription V*rsions o* `jqu*ry` prior to *.*.* *r*

Reasoning

T** vuln*r**ility st*ms *rom jQu*ry's *xt*n* m*t*o* w**n p*r*ormin* ***p m*r**s (*irst p*r*m*t*r tru*). T** jQu*ry *.*.* r*l**s* not*s *xpli*itly st*t* t**y 'pr*v*nt O*j**t.prototyp* pollution *or $.*xt*n*(tru*, ...)' *y *lo*kin* __proto__ prop*rty *