CVE-2025-3573 | THREATINT

Description

Versions of the package jquery-validation before 1.20.0 are vulnerable to Cross-site Scripting (XSS) in the showLabel() function, which may take input from a user-controlled placeholder value. This value will populate a message via $.validator.messages in a user localizable dictionary.

PUBLISHED Reserved 2025-04-14 | Published 2025-04-15 | Updated 2025-04-15 | Assigner snyk

MEDIUM: 5.3CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N

MEDIUM: 6.1CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Problem types

Cross-site Scripting (XSS)

Credits

Volkan Ceylan

References

security.snyk.io/vuln/SNYK-JS-JQUERYVALIDATION-5952285

github.com/jquery-validation/jquery-validation/pull/2462

github.com/...ommit/7a490d8f39bd988027568ddcf51755e1f4688902

cve.org (CVE-2025-3573)

nvd.nist.gov (CVE-2025-3573)

Download JSON