jQuery JavaScript library flaw opens the doors for attacks on hundreds of millions of websites

The popular jQuery JavaScript library is affected by a rare prototype pollution vulnerability that could allow attackers to modify a JavaScript object’s prototype.

The impact of the issue could be severe considering that the jQuery JavaScript library is currently used on 74 percent of websites online, most sites still use the 1.x and 2.x versions of the library that are affected by the ‘Prototype Pollution’ vulnerability.

This week the library has received a security patch to address the issue, this week, three years after the last major security flaw discovered in its code.

JavaScript objects are like variables that can be used to store multiple values based on a predefined structure. Prototypes are used to define a JavaScript object’s default structure and default values, they are essential to specify an expected structure when no values are set.

An attacker that is able to modify a JavaScript object prototype can make an application crash and change behavior if it doesn’t receive the expected values.

Due to the diffusion of JavaScript, the exploitation of prototype pollution flaws could have serious consequences on web applications.

The vulnerability in the jQuery library (CVE-2019-11358) was discovered by researchers at Snyk that also published a proof of concept code for a prototype pollution attack.

“This security vulnerability referred to and manifests as prototype pollution, enables attackers to overwrite a JavaScript application object prototype.” reads the analysis published by Snyk. “When that happens, properties that are controlled by the attacker can be injected into objects and then either lead to denial of service by triggering JavaScript exceptions, or tamper with the application source code to force the code path that the attacker injects. “

The experts demonstrated that exploiting the flaw attackers can assign themselves admin rights on a web app that uses the jQuery library code.

Fortunately, according to the experts, this prototype pollution issue is not exploitable for mass-attacks because the exploit code must be crafted for each specific target.

Web developers using jQuery JavaScript library for their applications are advised to update their projects to the latest jQuery version, v3.4.0.

“jQuery 3.4.0 includes a fix for some unintended behavior when using jQuery.extend(true, {}, …). If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype. This fix is included in jQuery 3.4.0, but patch diffs exist to patch previous jQuery versions,” reads the blog post published by the jQuery team.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, jQuery JavaScript library )

[adrotate banner=”5″]

[adrotate banner=”13″]