CVE-2020-11023

What is jQuery?

jQuery is the most widely deployed JavaScript library in history, used to simplify DOM manipulation, event handling, animations, and AJAX calls. At its peak jQuery was present on roughly 75–80% of all websites with detectable JavaScript frameworks. Its prevalence makes it a high-value target: a single exploitable pattern in jQuery can affect millions of applications simultaneously, including enterprise portals, CMSs, government websites, and third-party embedded widgets.

Overview

CVE-2020-11023 is a stored/persistent cross-site scripting (XSS) vulnerability in jQuery versions prior to 3.5.0. It stems from a flawed regular expression in jQuery's htmlPrefilter function that was intended to normalize self-closing HTML tags before DOM insertion. When an application passes attacker-controlled HTML to jQuery manipulation methods (.html(), .append(), .prepend(), .after(), .before(), etc.), the filter can mishandle the input in ways that allow JavaScript execution in the victim's browser context.

CISA added this CVE to the KEV catalog in January 2025, nearly five years after the patch was released, reflecting continued active exploitation in the wild against unpatched applications.

Affected Versions

jQuery 1.x and 2.x are end-of-life and will not receive patches — applications on those branches must upgrade to 3.5.0 or later.

Technical Details

jQuery's htmlPrefilter function applied a regex substitution to HTML strings before they were inserted into the DOM:

// Pre-3.5.0 — the problematic regex
htmlPrefilter: function( html ) {
  return html.replace( rxhtmlTag, "<$1></$2>" );
}

The regex rxhtmlTag was designed to convert self-closing tags like <div /> into <div></div>. However, when HTML containing certain constructs (elements with inline event handlers, or specific tag nesting patterns involving <option>, <colgroup>, <thead>, etc.) was processed, the substitution could produce HTML that the browser would parse differently than intended, causing inline event handlers to execute.

CWE-79 (Improper Neutralization of Input During Web Page Generation): The core issue is that jQuery treated the output of htmlPrefilter as safe HTML, but the regex transformation did not sanitize or neutralize event handler attributes embedded in the input.

Attack characteristics:

• Requires user interaction (victim must load or interact with a page rendering the malicious content)
• Attack complexity is rated High — exploitation depends on the application passing unsanitized user input to a jQuery DOM method
• Scope is Changed — the injected script executes in the victim's browser, outside the attacker's origin
• No authentication required on the attacker side

A companion vulnerability, CVE-2020-11022, covers a related but distinct XSS vector in jQuery's .html() method involving <script> tag handling.

Discovery

The vulnerability was identified by the jQuery security team during an internal audit leading up to the 3.5.0 release. The associated GitHub Security Advisory is GHSA-jpcq-cgw6-v4j6. The fix was shipped alongside CVE-2020-11022 in the April 10, 2020 release of jQuery 3.5.0.

Exploitation Context

Despite a patch being available since April 2020, jQuery XSS vulnerabilities remain actively exploited because:

• Legacy deployments are widespread. jQuery 1.x and 2.x are still embedded in millions of sites, CMSs, and enterprise applications that have not been updated.
• Third-party components. jQuery is frequently bundled inside plugins, themes, and vendor-supplied UI components, where the version is not directly controlled by the application owner.
• Exploitation is straightforward. Once an attacker identifies an endpoint that passes user input to a jQuery DOM method without sanitization, exploitation follows a well-documented pattern.

Typical exploitation goals include session cookie theft, credential harvesting via fake login overlays, malicious redirects, and drive-by malware delivery. The XSS scope means the injected script can read DOM content and make authenticated requests as the victim user.

CISA's January 2025 KEV addition indicates threat actors are actively targeting this vulnerability in government and critical infrastructure contexts, likely against outdated web applications that have not applied the 2020 patch.

Remediation

1. Upgrade jQuery to 3.5.0 or later. This is the definitive fix. jQuery 3.5.0 replaced the vulnerable htmlPrefilter regex with a no-op, eliminating the attack surface entirely.
2. Audit third-party dependencies. Check all bundled plugins, themes, and vendor UI components for embedded jQuery versions using tools like npm audit, Retire.js, or OWASP Dependency-Check.
3. Sanitize before passing to jQuery. If upgrading is not immediately possible, sanitize all user-controlled HTML with a library like DOMPurify before passing it to jQuery DOM manipulation methods.
4. Implement Content Security Policy (CSP). A strict CSP (script-src 'self') limits the impact of XSS by blocking inline script execution and restricting script sources.
5. Review application code. Audit uses of .html(), .append(), .prepend(), .after(), .before(), and .replaceWith() for any path where user-controlled data flows in without sanitization.
6. Monitor for exploitation. Review server and WAF logs for unusual patterns in parameters that are rendered into the DOM. WAF rules for jQuery XSS payloads (e.g., ModSecurity CRS) can provide detection coverage.