CVE-2019-11358

MEDIUM EXPLOITED IN THE WILD

jQuery < 3.4.0 - Prototype Pollution via jQuery.extend

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2019-11358 has been observed exploited in the wild (reported by VulnCheck KEV, InTheWild.io). EIP tracks 7 public exploits from researchers including chrisneagu, DanielRuf, bitnesswise.

AI-analyzed exploit summary The repository contains sample code and configuration files for a FIRST Tech Challenge (FTC) robot controller, but no exploit code or technical analysis related to CVE-2019-11358. The files are part of a legitimate robotics project and do not demonstrate or discuss the vulnerability.

Description

jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.

Exploits (7)

nomisec STUB 267 stars
by chrisneagu · poc
https://github.com/chrisneagu/FTC-Skystone-Dark-Angels-Romania-2020

The repository contains sample code and configuration files for a FIRST Tech Challenge (FTC) robot controller, but no exploit code or technical analysis related to CVE-2019-11358. The files are part of a legitimate robotics project and do not demonstrate or discuss the vulnerability.

Classification
Stub 95%
Attack Type
Other
Complexity
N/a
Reliability
N/a
Target: N/A
No auth needed
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec WRITEUP 29 stars
by DanielRuf · poc
https://github.com/DanielRuf/snyk-js-jquery-174006

This repository provides patches and a minification script for CVE-2019-11358, a prototype pollution vulnerability in jQuery versions prior to 3.4.0. It includes technical details on applying patches and generating minified versions but does not contain exploit code.

Classification
Writeup 90%
Attack Type
Other
Complexity
Moderate
Reliability
Theoretical
Target: jQuery < 3.4.0
No auth needed
Prerequisites: Access to the target system to apply patches · Node.js for minification
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WRITEUP 27 stars
by DanielRuf · poc
https://github.com/DanielRuf/snyk-js-jquery-565129

This repository provides patches and a minification script for CVE-2020-11022 and CVE-2020-11023, which affect jQuery versions prior to 3.5.0. It includes instructions for applying patches and generating minified versions of jQuery.

Classification
Writeup 100%
Attack Type
Other
Complexity
Trivial
Reliability
Reliable
Target: jQuery versions prior to 3.5.0
No auth needed
Prerequisites: Node.js for minification script
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WRITEUP 6 stars
by bitnesswise · poc
https://github.com/bitnesswise/jquery-prototype-pollution-fix

This repository provides a patched version of jQuery 1.12.2 to mitigate CVE-2019-11358, a prototype pollution vulnerability. It includes a modified jQuery library and test cases to verify the fix.

Classification
Writeup 90%
Attack Type
Other
Complexity
Moderate
Reliability
Reliable
Target: jQuery 1.12.2
No auth needed
Prerequisites: Use of jQuery 1.12.2 in a project
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec STUB 1 stars
by isacaya · client-side
https://github.com/isacaya/CVE-2019-11358

The repository contains only a README describing a prototype pollution vulnerability in jQuery's extend method but lacks any functional exploit code or technical details. It serves as a placeholder without demonstrating the vulnerability.

Classification
Stub 90%
Attack Type
Other
Complexity
Trivial
Reliability
Theoretical
Target: jQuery <3.4.0
No auth needed
Prerequisites: jQuery version <3.4.0
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec WRITEUP
by Snorlyd · poc
https://github.com/Snorlyd/https-nj.gov---CVE-2019-11358

This repository provides a detailed technical analysis of CVE-2019-11358, a jQuery Object.prototype pollution vulnerability. It includes patch diffs, test cases, and references to multiple advisories and fixes.

Classification
Writeup 95%
Attack Type
Other
Complexity
Moderate
Reliability
Reliable
Target: jQuery before 3.4.0
No auth needed
Prerequisites: Affected version of jQuery · Ability to inject malicious input into jQuery.extend()
devstral-2 · analyzed Feb 19, 2026 Full analysis →
exploitdb WORKING POC
webappsmultiple
https://www.exploit-db.com/exploits/52141

This exploit demonstrates two jQuery vulnerabilities (CVE-2019-11358 and CVE-2020-7656) by injecting malicious JavaScript into a vulnerable page. It leverages prototype pollution and improper script handling to execute arbitrary code in the victim's browser.

Classification
Working Poc 95%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: jQuery <3.4.X
No auth needed
Prerequisites: A webpage that includes jQuery version 3.3.1 or other vulnerable versions
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (73)

Core 73
Core References
Patch, Third Party Advisory
https://github.com/jquery/jquery/pull/4333
Exploit, Third Party Advisory
https://snyk.io/vuln/SNYK-JS-JQUERY-174006
Patch, Third Party Advisory
https://www.drupal.org/sa-core-2019-006
Third Party Advisory vendor-advisory
https://www.debian.org/security/2019/dsa-4434
Mailing List, Third Party Advisory mailing-list
https://seclists.org/bugtraq/2019/Apr/32
Broken Link, Third Party Advisory, VDB Entry vdb-entry
http://www.securityfocus.com/bid/108023
Mailing List, Third Party Advisory mailing-list
https://lists.debian.org/debian-lts-announce/2019/05/msg00006.html
Mailing List, Patch, Third Party Advisory mailing-list
https://seclists.org/bugtraq/2019/May/18
Mailing List, Patch, Third Party Advisory mailing-list
http://seclists.org/fulldisclosure/2019/May/11
Mailing List, Third Party Advisory mailing-list
http://seclists.org/fulldisclosure/2019/May/10
Mailing List, Patch, Third Party Advisory mailing-list
http://seclists.org/fulldisclosure/2019/May/13
Mailing List, Third Party Advisory mailing-list
https://lists.debian.org/debian-lts-announce/2019/05/msg00029.html
Mailing List, Patch, Third Party Advisory mailing-list
http://www.openwall.com/lists/oss-security/2019/06/03/2
Third Party Advisory vendor-advisory
https://access.redhat.com/errata/RHSA-2019:1456
Third Party Advisory vendor-advisory
https://www.debian.org/security/2019/dsa-4460
Issue Tracking, Mailing List, Third Party Advisory mailing-list
https://seclists.org/bugtraq/2019/Jun/12
Mailing List, Third Party Advisory vendor-advisory
http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00006.html
Third Party Advisory vendor-advisory
https://access.redhat.com/errata/RHBA-2019:1570
Mailing List, Third Party Advisory vendor-advisory
http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00025.html
Third Party Advisory vendor-advisory
https://access.redhat.com/errata/RHSA-2019:2587
Third Party Advisory vendor-advisory
https://access.redhat.com/errata/RHSA-2019:3023
Third Party Advisory vendor-advisory
https://access.redhat.com/errata/RHSA-2019:3024
Mailing List, Third Party Advisory mailing-list
https://lists.debian.org/debian-lts-announce/2020/02/msg00024.html
Mailing List, Third Party Advisory mailing-list
https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html

Scores

CVSS v3 6.1
EPSS 0.0132
EPSS Percentile 80.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

VulnCheck KEV 2021-01-21
InTheWild.io 2021-01-21
CWE
CWE-1321
Status published
Products (50)
backdropcms/backdrop 1.11.0 - 1.11.9
debian/debian_linux 8.0
debian/debian_linux 9.0
debian/debian_linux 10.0
drupal/drupal 7.0 - 7.66
fedoraproject/fedora 28
fedoraproject/fedora 29
fedoraproject/fedora 30
joomla/joomla\! 3.0.0 - 3.9.4
jquery/jquery < 3.4.0
... and 40 more
Published Apr 20, 2019
Tracked Since Feb 18, 2026