CVE-2016-10707
HIGHjQuery 3.0.0-rc.1 - Denial of Service via Mixed-Case Boolean Attribute Recursion
Title source: llmDescription
jQuery 3.0.0-rc.1 is vulnerable to Denial of Service (DoS) due to removing a logic that lowercased attribute names. Any attribute getter using a mixed-cased name for boolean attributes goes into an infinite recursion, exceeding the stack call limit.
References (3)
Core 3
Core References
Exploit, Patch x_refsource_misc
https://github.com/jquery/jquery/issues/3133
Third Party Advisory x_refsource_misc
https://snyk.io/vuln/npm:jquery:20160529
Issue Tracking, Patch x_refsource_misc
https://github.com/jquery/jquery/pull/3134
Scores
CVSS v3
7.5
EPSS
0.0053
EPSS Percentile
67.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Details
CWE
CWE-674
Status
published
Products (5)
jquery/jquery
3.0.0 rc1
npm/jquery
3.0.0-rc.1 - 3.0.0npm
nuget/jQuery
3.0.0-rc.1 - 3.0.0NuGet
org.webjars.npm/jquery
3.0.0-rc1 - 3.0.0Maven
rubygems/jquery-rails
3.0.0-rc.1 - 3.0.0RubyGems
Published
Jan 18, 2018
Tracked Since
Feb 18, 2026