CVE-2016-10707
HIGH7.5EPSS 0.53%Denial of Service in jquery
Published: 1/22/2018Modified: 9/2/2025
Description
Affected versions of `jquery` use a lowercasing logic on attribute names. When given a boolean attribute with a name that contains uppercase characters, `jquery` enters into an infinite recursion loop, exceeding the call stack limit, and resulting in a denial of service condition. ## Recommendation Update to version 3.0.0 or later.
Affected packages (4)
- Maven/org.webjars.npm:jquery>= 3.0.0-rc1, < 3.0.0
- npm/jquery>= 3.0.0-rc.1, < 3.0.0
- NuGet/jQuery>= 3.0.0-rc.1, < 3.0.0
- RubyGems/jquery-rails>= 3.0.0-rc.1, < 3.0.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
References (9)
- ADVISORYhttps://github.com/advisories/GHSA-mhpp-875w-9cpv
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2016-10707
- PATCHhttps://github.com/jquery/jquery
- WEBhttps://github.com/jquery/jquery/issues/3133
- WEBhttps://github.com/jquery/jquery/issues/3133#issuecomment-358978489
- WEBhttps://github.com/jquery/jquery/pull/3134
- WEBhttps://github.com/rubysec/ruby-advisory-db/blob/master/gems/jquery-rails/CVE-2016-10707.yml
- WEBhttps://snyk.io/vuln/npm:jquery:20160529
- WEBhttps://www.npmjs.com/advisories/330