jQuery 3.0.0-rc.1 is vulnerable to Denial of Service (DoS) due to removing a logic that lowercased attribute names. Any attribute getter using a mixed-cased name for boolean attributes goes into an infinite recursion, exceeding the stack call limit.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| jquery(npm) | 3.0.0-rc.1 | 3.0.0 | N/A |
| jQuery(NuGet) | 3.0.0-rc.1 | 3.0.0 | N/A |
| org.webjars.npm:jquery(Maven) | 3.0.0-rc1 | 3.0.0 | N/A |
| jquery-rails(RubyGems) | 3.0.0-rc.1 | 3.0.0 | N/A |
CVSS Metrics
