jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.
CVE-2019-11358
This medium-severity CVE scores 6.1 under NVD CVSS v3. EPSS exploit probability: 2.4%, top 15% of all CVEs by exploit prediction. GitHub Security Advisory data not yet ingested — confidence will rise once GHSA publishes (typical lag: hours to days for open-source ecosystem CVEs; never for infrastructure-only CVEs).
- High exploitation likelihood — EPSS 87%
A fix is available — apply it.
- CVSS v3
- 6.1
- EG Score
- 6.1(medium)
- EPSS
- 99.7%
- KEV
- Not listed
Published
April 20, 2019
Last Modified
November 21, 2024
References (146)
- cve@mitrehttp://lists.opensuse.org/opensuse-security-announce/2019-08/msg00006.html
- cve@mitrehttp://lists.opensuse.org/opensuse-security-announce/2019-08/msg00025.html
- cve@mitrehttp://packetstormsecurity.com/files/152787/dotCMS-5.1.1-Vulnerable-Dependencies.html
- cve@mitrehttp://packetstormsecurity.com/files/153237/RetireJS-CORS-Issue-Script-Execution.html
- cve@mitrehttp://packetstormsecurity.com/files/156743/OctoberCMS-Insecure-Dependencies.html
- cve@mitrehttp://seclists.org/fulldisclosure/2019/May/10
- cve@mitrehttp://seclists.org/fulldisclosure/2019/May/11
- cve@mitrehttp://seclists.org/fulldisclosure/2019/May/13
- cve@mitrehttp://www.openwall.com/lists/oss-security/2019/06/03/2
- cve@mitrehttp://www.securityfocus.com/bid/108023
- cve@mitrehttps://access.redhat.com/errata/RHBA-2019:1570
- cve@mitrehttps://access.redhat.com/errata/RHSA-2019:1456
- cve@mitrehttps://access.redhat.com/errata/RHSA-2019:2587
- cve@mitrehttps://access.redhat.com/errata/RHSA-2019:3023
- cve@mitrehttps://access.redhat.com/errata/RHSA-2019:3024
Vendor Advisories for CVE-2019-11358(15)
These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.
- CVE-2019-11358Microsoft Security Response Center (MSRC)
CVE-2019-11358
- RHSA-2023:1043Red Hat Product SecurityHigh
Red Hat Security Advisory: Red Hat Single Sign-On 7.6.2 security update on RHEL 7
- RHSA-2023:1049Red Hat Product SecurityHigh
Red Hat Security Advisory: Red Hat Single Sign-On 7.6.2 security update
- RHSA-2023:1047Red Hat Product SecurityHigh
Red Hat Security Advisory: Red Hat Single Sign-On 7.6.2 for OpenShift image security and enhancement update
- RHSA-2023:1045Red Hat Product SecurityHigh
Red Hat Security Advisory: Red Hat Single Sign-On 7.6.2 security update on RHEL 9
- RHSA-2023:1044Red Hat Product SecurityHigh
Red Hat Security Advisory: Red Hat Single Sign-On 7.6.2 security update on RHEL 8
- RHSA-2023:0556Red Hat Product SecurityHigh
Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 7.4.9 Security update
- RHSA-2023:0554Red Hat Product SecurityHigh
Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 7.4.9 Security update
- +7 more
Patch Availability(25)
Patches are aggregated from vendor advisories (Red Hat, Microsoft, Cisco, GitHub) and package ecosystems (OSV, GHSA). Multiple rows for the same upstream release have been deduplicated.
Affected Packages
(7 across 6 ecosystems)
Packagist(2)
| Package | Vulnerable range | Fixed in | Dependents |
|---|---|---|---|
| drupal/core | 8.0.0 ... 8.6.9 (95 versions) | 8.6.15 | — |
| maximebf/debugbar | 1.0 ... v1.18.2 (60 versions) | 1.19.0 | — |
Maven(1)
| Package | Vulnerable range | Fixed in | Dependents |
|---|---|---|---|
| org.webjars.npm:jquery | 1.11.0 ... 3.3.1 (33 versions) | 3.4.0 | — |
npm(1)
| Package | Vulnerable range | Fixed in | Dependents |
|---|---|---|---|
| jquery | — | 3.4.0 | — |
NuGet(1)
| Package | Vulnerable range | Fixed in | Dependents |
|---|---|---|---|
| jQuery | 1.10.0 ... 3.3.1 (56 versions) | 3.4.0 | — |
PyPI(1)
| Package | Vulnerable range | Fixed in | Dependents |
|---|---|---|---|
| django | 2.2, 2.2.1, 2.2a1, 2.2b1, 2.2rc1 | 2.2.2 | — |
RubyGems(1)
| Package | Vulnerable range | Fixed in | Dependents |
|---|---|---|---|
| jquery-rails | 0.1.1 ... 4.3.3 (72 versions) | 4.3.4 | — |
Weakness Classification(1)
MITRE Common Weakness Enumeration — the root-cause categories this CVE belongs to.
Additional Vendor Advisories
(10)
Vendors that published advisories for this CVE beyond the curated set above. Broader coverage but minimal per-row detail — click through for the original advisory.
- Red HatRHBA-2019:1570MODERATE2019-03-27
RHBA-2019:1570 — Moderate
- Red HatRHBA-2020:0402MODERATE2019-03-27
RHBA-2020:0402 — Moderate
- Red HatRHSA-2019:1456MODERATE2019-03-27
RHSA-2019:1456 — Moderate
- Red HatRHSA-2019:2587MODERATE2019-03-27
RHSA-2019:2587 — Moderate
- Red HatRHSA-2019:3023MODERATE2019-03-27
RHSA-2019:3023 — Moderate
- Red HatRHSA-2019:3024MODERATE2019-03-27
RHSA-2019:3024 — Moderate
- Red HatRHSA-2020:1325MODERATE2019-03-27
RHSA-2020:1325 — Moderate
- Red HatRHSA-2020:3936MODERATE2019-03-27
RHSA-2020:3936 — Moderate
- Red HatRHSA-2020:4670MODERATE2019-03-27
RHSA-2020:4670 — Moderate
- Red HatRHSA-2020:5581MODERATE2019-03-27
RHSA-2020:5581 — Moderate
Data Freshness Timeline
(refreshed 0× in last 7d / 16× in last 30d)
Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.
- 2026-07-04 06:28 UTCEPSS rescore
- 2026-07-04 06:28 UTCEPSS rescore
- 2026-07-03 12:56 UTCOSV refresh
- 2026-07-01 15:03 UTCEPSS rescore
- 2026-07-01 15:03 UTCEPSS rescore
- 2026-06-25 13:47 UTCEPSS rescore
- 2026-06-25 13:47 UTCEPSS rescore
- 2026-06-23 21:30 UTCEPSS rescore
- 2026-06-23 21:30 UTCEPSS rescore
- 2026-06-17 17:50 UTCEPSS rescore
- 2026-06-15 17:45 UTCEPSS rescore
- 2026-06-15 03:13 UTCOSV refresh
- 2026-06-14 23:15 UTCEPSS rescore
- 2026-06-14 23:15 UTCEPSS rescore
- 2026-06-13 22:58 UTCEPSS rescore
- 2026-06-12 23:09 UTCEPSS rescore
- 2026-06-11 13:58 UTCEPSS rescore
- 2026-06-11 13:58 UTCEPSS rescore
- 2026-06-10 22:16 UTCEPSS rescore
- 2026-06-10 13:19 UTCEPSS rescore
- 2026-06-08 14:15 UTCEPSS rescore
- 2026-06-08 14:14 UTCEPSS rescore
- 2026-06-06 13:45 UTCEPSS rescore
- 2026-06-06 13:45 UTCEPSS rescore
- 2026-06-05 22:45 UTCEPSS rescore
Show 22 moreShow fewer
- 2026-06-05 22:45 UTCEPSS rescore
- 2026-06-05 06:08 UTCEPSS rescore
- 2026-06-05 06:08 UTCEPSS rescore
- 2026-06-04 13:10 UTCEPSS rescore
- 2026-06-04 13:10 UTCEPSS rescore
- 2026-06-02 20:11 UTCEPSS rescore
- 2026-06-01 13:50 UTCEPSS rescore
- 2026-06-01 13:50 UTCEPSS rescore
- 2026-05-31 22:29 UTCEPSS rescore
- 2026-05-31 22:29 UTCEPSS rescore
- 2026-05-31 00:14 UTCEPSS rescore
- 2026-05-31 00:14 UTCEPSS rescore
- 2026-05-29 13:42 UTCEPSS rescore
- 2026-05-28 13:43 UTCEPSS rescore
- 2026-05-27 20:26 UTCEG score recompute
- 2026-05-27 20:26 UTCVendor advisory
- 2026-05-27 15:05 UTCOSV refresh
- 2026-05-27 13:38 UTCEPSS rescore
- 2026-05-26 13:42 UTCEPSS rescore
- 2026-05-26 13:42 UTCEPSS rescore
- 2026-05-26 07:17 UTCEPSS rescore
- 2026-05-26 07:17 UTCEPSS rescore
Publicly available exploits
(5 references)Working exploit code is in the public domain (4 GitHub PoCs) (1 Exploit-DB entry). Defenders should treat patch urgency accordingly — public PoCs typically lead to mass-exploitation within 24-72 hours.
- Exploit-DBEDB-52141First seen Apr 8, 2025
jQuery 3.3.1 - Prototype Pollution & XSS Exploit
Open source ↗ - GitHub PoCchrisneagu/FTC-Skystone-Dark-Angels-Romania-2020First seen Mar 8, 2021
NOTICE This repository contains the public FTC SDK for the SKYSTONE (2019-2020) competition season. If you are looking for the current season's FTC SDK software, please visit the new and permanent home of the public FTC SDK: FtcRobotController repository Welcome! This GitHub repository contains the source code that is used to build an Android app to control a FIRST Tech Challenge competition robot. To use this SDK, download/clone the entire project to your local computer. Getting Started If you are new to robotics or new to the FIRST Tech Challenge, then you should consider reviewing the FTC Blocks Tutorial to get familiar with how to use the control system: FTC Blocks Online Tutorial Even if you are an advanced Java programmer, it is helpful to start with the FTC Blocks tutorial, and then migrate to the OnBot Java Tool or to Android Studio afterwards. Downloading the Project If you are an Android Studio programmer, there are several ways to download this repo. Note that if you use the Blocks or OnBot Java Tool to program your robot, then you do not need to download this repository. If you are a git user, you can clone the most current version of the repository: git clone https://github.com/FIRST-Tech-Challenge/SKYSTONE.git Or, if you prefer, you can use the "Download Zip" button available through the main repository page. Downloading the project as a .ZIP file will keep the size of the download manageable. You can also download the project folder (as a .zip or .tar.gz archive file) from the Downloads subsection of the Releases page for this repository. Once you have downloaded and uncompressed (if needed) your folder, you can use Android Studio to import the folder ("Import project (Eclipse ADT, Gradle, etc.)"). Getting Help User Documentation and Tutorials FIRST maintains online documentation with information and tutorials on how to use the FIRST Tech Challenge software and robot control system. You can access this documentation using
Open source ↗ - GitHub PoCDanielRuf/snyk-js-jquery-565129First seen Apr 14, 2020
patches for SNYK-JS-JQUERY-565129, SNYK-JS-JQUERY-567880, CVE-2020-1102, CVE-2020-11023, includes the patches for SNYK-JS-JQUERY-174006, CVE-2019-11358, CVE-2019-5428
Open source ↗ - GitHub PoCbitnesswise/jquery-prototype-pollution-fixFirst seen Jul 18, 2019
A fix for CVE-2019-11358 (prototype pollution in jquery)
Open source ↗ - GitHub PoCDanielRuf/snyk-js-jquery-174006First seen Mar 30, 2019
patches for SNYK-JS-JQUERY-174006, CVE-2019-11358, CVE-2019-5428
Open source ↗
Frequently asked(5)
What is CVE-2019-11358?
When was CVE-2019-11358 disclosed?
Is CVE-2019-11358 actively exploited?
What is the CVSS score of CVE-2019-11358?
How do I remediate CVE-2019-11358?
Dependency Blast Radius
See which npm, PyPI, Go, and Maven packages are affected by CVE-2019-11358
Is Your Infrastructure Affected by CVE-2019-11358?
EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.