Outdated Form Validation Library Can Be Used to Knock Your Site Offline
Your website uses an old version of a popular form validation library (jQuery Validation 1.14.0) that contains a known flaw. An attacker can submit a specially crafted input into any form field that validates URLs, causing your server or browser to freeze while it tries to process it. This is a straightforward attack that requires no special skills or access.
Business Impact And Actions
high urgencyBusiness Impact
If exploited, this vulnerability can make your application temporarily unavailable to legitimate users — effectively taking it offline without any hacking of your servers or data. While no data is stolen, downtime damages user trust, can violate service-level agreements, and may trigger compliance flags if your application is subject to availability requirements. The attack requires no login and can be triggered by anyone who can access a form on your site.
What To Do
- Ask your developer to upgrade the jQuery Validation library to version 1.19.5 or later — this is a well-defined, low-risk update.
- If an immediate upgrade isn't possible, ask your developer to add a maximum character length limit on any URL input fields as a temporary safeguard.
- After the upgrade is deployed, verify the old version is no longer loaded by checking your site's page source or asking your developer to confirm.
- If your application uses a content delivery network (CDN) to load this library, make sure the CDN link is also updated to point to version 1.19.5 or later.
jQuery Validation < 1.19.5 — ReDoS via url2 Method (CVE-2022-31147)
high severity CVSS 7.5Vulnerability Explanation
The jQuery Validation Plugin's url2 validation method uses a regular expression containing nested quantifiers and overlapping alternations — specifically in the userinfo (username/password) portion of URL patterns. When a specially crafted input string is submitted, the regex engine enters a catastrophic backtracking state, exploring an exponentially growing number of matching paths. This freezes the JavaScript event loop (client-side) or exhausts server CPU (server-side rendering/Node.js contexts), causing a denial of service. The attack requires no authentication, no privileges, and no user interaction beyond submitting a form field. This is an incomplete fix of CVE-2021-43306 — the original patch did not fully eliminate all backtracking scenarios in the URL regex.
Root Cause
The url2 validation method's regular expression contained patterns with overlapping character classes and nested quantifiers (e.g., the \S+ pattern in the userinfo segment). These patterns allow the regex engine to attempt exponentially many matching paths when processing malicious input, a class of flaw known as catastrophic backtracking. The fix in 1.19.5 replaces the vulnerable pattern with a more restrictive character class that explicitly defines allowed characters, eliminating the ambiguity that causes backtracking.
Technical Impact
An unauthenticated remote attacker can submit a crafted URL string to any form field validated with the url2 method, causing the JavaScript regex engine to consume 100% CPU. In browser-side-only deployments, this freezes the victim's browser tab. In server-side or Node.js deployments where validation runs server-side, this can cause full application denial of service, making the application unresponsive to all users until the process is restarted. CVSS 3.1 vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H.
Severity Justification
CVSS 3.1 score of 7.5 (High). Network-accessible, low complexity, no privileges or user interaction required. Impact is limited to availability (no confidentiality or integrity impact), but the attack is trivially executable against any exposed url2-validated form field.
Affected Components
jquery-validation < 1.19.5
Remediation Steps
- Upgrade jquery-validation to version 1.19.5 or later via your package manager: `npm install jquery-validation@1.19.5` or `yarn add jquery-validation@1.19.5`. Update your package.json to pin `"jquery-validation": ">=1.19.5"`.
- If loading via CDN, update the script tag to reference version 1.19.5 or later from the official CDN (e.g., cdnjs or jsDelivr). Remove or replace any reference to versions prior to 1.19.5.
- If an immediate upgrade is blocked, apply a temporary mitigation by adding a `maxlength` attribute (e.g., 2048 characters) to all URL input fields. This limits the input size an attacker can use to trigger backtracking, significantly reducing exploitability.
- After upgrading, audit your codebase for any use of the `url2` validation method and confirm it is now running from the patched version. Also check for any vendored or bundled copies of the library in your repository.
Verification Steps
- Run `npm list jquery-validation` (or `yarn list jquery-validation`) and confirm the installed version is 1.19.5 or higher.
- If loaded via CDN, inspect the page source or browser DevTools Network tab and confirm the script URL references version 1.19.5 or later.
- Search your codebase for any vendored copies: `grep -r 'jquery.validate' . --include='*.js'` and verify no pre-1.19.5 copies remain.
- Optionally, use a software composition analysis (SCA) tool such as `npm audit` to confirm no known vulnerabilities remain in the dependency tree.
Code Examples (html)
<!-- Vulnerable: loading an old version via CDN -->
<script src="https://cdnjs.cloudflare.com/ajax/libs/jquery-validation/1.14.0/jquery.validate.min.js"></script>
// package.json (vulnerable)
"jquery-validation": "^1.14.0"
<!-- Fixed: upgrade to 1.19.5 or later -->
<script src="https://cdnjs.cloudflare.com/ajax/libs/jquery-validation/1.19.5/jquery.validate.min.js"></script>
// package.json (fixed)
"jquery-validation": ">=1.19.5"
// Temporary mitigation: restrict URL field input length
<input type="url" name="website" maxlength="2048">
Best Practices
- Never rely solely on client-side validation for security-sensitive inputs — always validate and sanitize URL inputs server-side using a well-tested library.
- Add jquery-validation (and all frontend dependencies) to your dependency scanning pipeline (e.g., `npm audit`, Dependabot, or Snyk) so future vulnerable versions are flagged automatically.
- Audit your codebase for vendored or bundled copies of third-party libraries — these are often missed by package manager audits.
- Apply input length restrictions on all free-text and URL fields as a defense-in-depth measure against ReDoS and other input-based attacks.
References
- github.com/jquery-validation/jquery-validation/security/advisories/GHSA-ffmh-x56j-9rc3
- github.com/jquery-validation/jquery-validation/commit/5bbd80d27fc6b607d2f7f106c89522051a9fb0dd
- github.com/jquery-validation/jquery-validation/releases/tag/1.19.5
- www.cvedetails.com/cve/CVE-2022-31147/
- security.snyk.io/vuln/SNYK-JS-JQUERYVALIDATION-2940620
Found this in your infrastructure?
VulWall scans for this and dozens of other issues automatically.
Scan Your Domain Free