CVE-2016-10707
Description
jQuery 3.0.0-rc.1 is vulnerable to Denial of Service (DoS) due to removing a logic that lowercased attribute names. Any attribute getter using a mixed-cased name for boolean attributes goes into an infinite recursion, exceeding the stack call limit.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
jQuery 3.0.0-rc.1 is vulnerable to Denial of Service due to an infinite recursion in attribute getters using mixed-case names for boolean attributes.
Vulnerability
jQuery versions 3.0.0-rc.1 is vulnerable to a Denial of Service (DoS) condition. The vulnerability arises because the logic that lowercased attribute names was removed, causing any attribute getter that uses a mixed-case name for boolean attributes to enter an infinite recursion, eventually exceeding the stack call limit [1], [2], [3].
Exploitation
An attacker can trigger this vulnerability by crafting an input that causes the application to call a boolean attribute getter with a mixed-case name. No authentication or special access is required; the attack can be carried out remotely if the application processes user-controlled input that is passed to jQuery's attribute getter methods [2], [3].
Impact
Successful exploitation results in a stack overflow and crash of the application, leading to a Denial of Service. The vulnerability does not allow for arbitrary code execution or data disclosure; it solely affects availability [1], [2], [3].
Mitigation
The fix was implemented in jQuery 3.0.0, released on June 3, 2016. Users should upgrade to jQuery 3.0.0 or later to remediate the vulnerability. No workarounds are available, and the 3.x branch is currently in critical-only support mode [1], [4].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
jquerynpm | >= 3.0.0-rc.1, < 3.0.0 | 3.0.0 |
jQueryNuGet | >= 3.0.0-rc.1, < 3.0.0 | 3.0.0 |
org.webjars.npm:jqueryMaven | >= 3.0.0-rc1, < 3.0.0 | 3.0.0 |
jquery-railsRubyGems | >= 3.0.0-rc.1, < 3.0.0 | 3.0.0 |
Affected products
4- ghsa-coords4 versions
>= 3.0.0-rc.1, < 3.0.0+ 3 more
- (no CPE)range: >= 3.0.0-rc.1, < 3.0.0
- (no CPE)range: >= 3.0.0-rc1, < 3.0.0
- (no CPE)range: >= 3.0.0-rc.1, < 3.0.0
- (no CPE)range: >= 3.0.0-rc.1, < 3.0.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- github.com/advisories/GHSA-mhpp-875w-9cpvghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2016-10707ghsaADVISORY
- github.com/jquery/jquery/issues/3133ghsax_refsource_MISCWEB
- github.com/jquery/jquery/issues/3133ghsaWEB
- github.com/jquery/jquery/pull/3134ghsax_refsource_MISCWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/jquery-rails/CVE-2016-10707.ymlghsaWEB
- snyk.io/vuln/npm:jquery:20160529ghsax_refsource_MISCWEB
- www.npmjs.com/advisories/330ghsaWEB
News mentions
0No linked articles in our index yet.