CVE-2019-5428: Duplicate Advisory: Prototype Pollution in jquery
N/A
CVSS Score
Basic Information
CVE ID
GHSA ID
EPSS Score
-
CWE
-
Published
4/23/2019
Updated
9/25/2023
KEV Status
No
Technology
JavaScript
Technical Details
CVSS Vector
CVSS metrics data is empty
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
jquery | npm | < 3.4.0 | 3.4.0 |
jquery | nuget | < 3.4.0 | 3.4.0 |
org.webjars.npm:jquery | maven | < 3.4.0 | 3.4.0 |
jquery-rails | rubygems | < 3.4.0 | 3.4.0 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from jQuery's extend method when performing deep merges (first parameter true). The jQuery 3.4.0 release notes explicitly state they 'prevent Object.prototype pollution for $.extend(true, ...)' by blocking proto property copying. This matches the CVE description of prototype pollution via extend(). The function signature jQuery.extend matches runtime profiling patterns as it's a core jQuery API method. The evidence comes directly from the official patch notes describing the security fix in this specific function.