Patch now available, but regex-induced bug said to impact other software packages
The open source jQuery software used a regex in its jQuery.htmlPrefilter method to ensure that closing tags were XHTML-compliant when passed to methods.
Japanese security researcher Masato Kinugawa showed that this implementation was flawed, as the regex could introduce an XSS vulnerability.
The developers behind jQuery described the moderate severity vulnerability (CVE-2020-11022) as something that only came into play in “edge cases where parsing would have unintended consequences”.
Despite downplaying the severity of the bug, they agreed that an update was needed.
This problem was patched in jQuery 3.5.0, released on April 10 and made available alongside minor feature improvements and bug fixes.
Various workarounds, for those unable to immediately update affected packages are also available, as explained in an advisory from the developers of jQuery.
The XSS vulnerability resolved last month meant that “passing HTML from untrusted sources – even after sanitizing it – to one of jQuery’s DOM manipulation methods (such as .html(), .append(), and others) may execute untrusted code,” according to the write-up on GitHub.
Kinugawa has tweeted about a challenge the revolves around a proof-of-concept exploit for the jQuery vulnerability.
In response to a question from The Daily Swig, Kinugawa said this vector of exploitation affects various (as yet unnamed) software packages and is the topic of ongoing disclosure and remediation work.
“I found XSS in real apps,” Kinugawa said. “They have bug bounty, but sadly I can’t share details since they haven’t been fixed yet.”
On May 17, Kinugawa published further technical details.