Platform
dotnet
Component
jquery.validation
Fixed in
1.19.4
1.19.3
CVE-2021-21252 identifies a Denial of Service (DoS) vulnerability within the jQuery.Validation library. This vulnerability stems from the presence of regular expressions susceptible to ReDoS (Regular Expression Denial of Service) attacks, potentially causing significant service disruption. The vulnerability affects versions of jQuery.Validation up to and including 1.9.0.1, with a fix available in version 1.19.3.
A ReDoS attack exploits inefficient regular expressions, causing them to consume excessive CPU resources and potentially crash the application or server. In the context of jQuery.Validation, an attacker could craft malicious input that triggers these vulnerable regular expressions, leading to a denial of service for users relying on the library. The impact can range from temporary website unavailability to complete system outages, depending on the deployment and load. While the vulnerability itself doesn't directly expose sensitive data, the resulting DoS can be used as a distraction for other malicious activities.
This vulnerability was discovered and reported by GitHub team member @erik-krogh. While no active exploitation campaigns have been publicly reported as of the last update, ReDoS vulnerabilities are generally considered exploitable and can be easily triggered. The vulnerability is not currently listed on CISA KEV. Public proof-of-concept exploits are available, demonstrating the ease of triggering ReDoS attacks against vulnerable versions of jQuery.Validation.
Exploit Status
EPSS
0.70% (72% percentile)
CVSS Vector
The primary mitigation for CVE-2021-21252 is to upgrade jQuery.Validation to version 1.19.3 or later, which contains the fix for the vulnerable regular expressions. If immediate upgrading is not feasible, consider implementing input validation and sanitization techniques to prevent malicious input from reaching the vulnerable regular expressions. Web Application Firewalls (WAFs) with regular expression filtering capabilities can also provide a temporary layer of protection. After upgrading, confirm the fix by testing the application with various input strings, including those known to trigger ReDoS vulnerabilities.
Update the jquery-validation package to version 1.19.3 or higher. This will resolve the regular expression denial of service (ReDoS) vulnerability. You can update the package using npm or yarn.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2021-21252 is a Denial of Service vulnerability in jQuery.Validation versions 1.9.0.1 and earlier, caused by vulnerable regular expressions that can lead to ReDoS attacks.
You are affected if your application uses jQuery.Validation version 1.9.0.1 or earlier. Check your project dependencies to determine if you are using a vulnerable version.
Upgrade jQuery.Validation to version 1.19.3 or later to resolve the vulnerability. If immediate upgrade is not possible, implement input validation and sanitization.
While no active campaigns have been publicly reported, ReDoS vulnerabilities are generally considered exploitable and public proof-of-concept exploits are available.
Refer to the GitHub Security Lab advisory and the jQuery.Validation project repository for details: https://github.com/jquery/jquery-validation/security/advisories/GHSA-5x4j-p347-497c
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your packages.lock.json file and we'll tell you instantly if you're affected.