VulWall Team February 18, 2026 4 min read

Outdated jQuery Library Can Run Malicious Code in Visitors' Browsers

Your website uses an outdated version of jQuery, a common JavaScript tool. This version has a known flaw: if your site makes background data requests to other websites, a compromised or malicious third-party server could send back code that runs automatically in your visitors' browsers. Think of it like ordering a package and having the delivery driver hand you something unexpected that activates the moment you open the door.

OWASP A06 Effort: small Exploitable
xss jquery cors ajax frontend library cve script-injection

Business Impact And Actions

medium urgency

Business Impact

If exploited, this could allow an attacker to run unauthorised scripts in your visitors' browsers — potentially stealing login sessions or displaying misleading content. The risk is conditional: it only applies when your site makes background requests to external services without specifying what kind of data to expect. Compliance frameworks like SOC 2 and ISO 27001 flag known vulnerabilities in third-party libraries, so this could surface in a customer security review or audit.

What To Do

  1. Ask your developer to upgrade jQuery to version 3.0.0 or later — this is the primary fix and is typically a 1–2 hour task.
  2. Ask your developer to audit any background data requests your site makes to external services and ensure they specify the expected data format (e.g. JSON).
  3. If an upgrade isn't immediately possible, ask your developer to add a Content Security Policy header to your site as a temporary protective measure.
  4. After the fix, ask your developer to confirm the updated version is live using a tool like Retire.js or a browser developer console check.

jQuery < 3.0.0 XSS via CORS Response Script Execution (CVE-2015-9251)

medium severity CVSS 6.1

Vulnerability Explanation

In jQuery versions prior to 3.0.0, when a cross-origin AJAX request is made without an explicit `dataType` option, jQuery inspects the response's Content-Type header. If the server returns `text/javascript`, jQuery automatically passes the response body to `jQuery.globalEval()`, executing it in the global scope. An attacker who controls or can influence the response from a cross-origin endpoint — for example, a compromised CDN, API, or third-party service — can inject arbitrary JavaScript that executes in the victim's browser within the context of the originating page. Exploitation requires user interaction (visiting the affected page) and a cross-origin request to an attacker-influenced endpoint, making this a realistic but conditional attack vector.

Root Cause

jQuery lacked strict response type enforcement for cross-origin AJAX requests. When `dataType` was omitted, jQuery performed content-type sniffing and treated `text/javascript` responses as executable code, invoking `jQuery.globalEval()` without any sanitisation or user consent. This behaviour was corrected in jQuery 3.0.0, which no longer auto-executes cross-domain script responses.

Technical Impact

An attacker controlling a cross-origin endpoint targeted by the vulnerable jQuery AJAX call can execute arbitrary JavaScript in the victim's browser session. This enables session hijacking via cookie theft, DOM manipulation, credential harvesting via fake UI overlays, and redirection to malicious sites — all within the security context of the hosting page.

Severity Justification

CVSS 3.0 score of 6.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N). Network-accessible, no privileges required, but requires user interaction and a cross-origin request to an attacker-influenced endpoint. Impact is limited to confidentiality and integrity with no availability impact.

Affected Components

  • jQuery >= 1.0.0 and < 3.0.0

Remediation Steps

  1. Upgrade jQuery to version 3.0.0 or later. This is the definitive fix — the auto-execution of cross-domain `text/javascript` responses was removed in 3.0.0. If migrating from 1.x, review the jQuery 3.0 upgrade guide for breaking changes.
  2. If an immediate upgrade is not feasible, audit all `$.ajax()`, `$.get()`, and `$.post()` calls that target cross-origin URLs and add an explicit `dataType` option (e.g. `dataType: 'json'`). This prevents jQuery from treating the response as executable script.
  3. Remove any jQuery loaded from third-party CDNs without Subresource Integrity (SRI) checks, or add SRI hashes to existing CDN `<script>` tags to prevent CDN-served script tampering.
  4. Deploy a Content Security Policy (CSP) header with a restrictive `script-src` directive as a defence-in-depth measure to limit the impact of any script injection.

Verification Steps

  1. Run `curl -s https://yoursite.com | grep -i 'jquery'` or inspect the page source to confirm the loaded jQuery version is 3.0.0 or later.
  2. Use Retire.js CLI (`retire --path ./your-project`) or the Retire.js browser extension to scan for known vulnerable library versions.
  3. Check all cross-origin AJAX calls in your codebase: `grep -rn 'dataType' src/` — any `$.ajax` call targeting an external URL without `dataType` should be reviewed.
  4. Validate your CSP header using https://csp-evaluator.withgoogle.com/ after deployment.

Code Examples (javascript)

Vulnerable
// No dataType specified — jQuery will sniff Content-Type and may execute text/javascript responses
$.ajax({
  url: 'https://api.third-party.com/data',
  success: function(data) {
    console.log(data);
  }
});
Fixed
// Explicit dataType prevents auto-execution of script responses
$.ajax({
  url: 'https://api.third-party.com/data',
  dataType: 'json',  // Enforce expected response type
  success: function(data) {
    console.log(data);
  }
});

// Better yet: upgrade to jQuery 3.x and use the Fetch API or $.ajax with dataType
// jQuery 3.x CDN with SRI:
// <script
//   src="https://code.jquery.com/jquery-3.7.1.min.js"
//   integrity="sha256-/JqT3SQfawRcv/BIHPThkBvs0OEvtFFmqPF/lYI/Cxo="
//   crossorigin="anonymous"></script>

Best Practices

  • Always specify `dataType` explicitly in jQuery AJAX calls to cross-origin endpoints — never rely on content-type sniffing.
  • Add Subresource Integrity (SRI) hashes to all third-party `<script>` and `<link>` tags loaded from CDNs.
  • Implement a Content Security Policy with a strict `script-src` directive to limit script execution to trusted origins.
  • Integrate Retire.js or a similar SCA tool into your CI/CD pipeline to catch vulnerable JavaScript library versions before they reach production.

References

Found this in your infrastructure?

VulWall scans for this and dozens of other issues automatically.

Scan Your Domain Free
Back to Knowledge Base