Moderate severityOSV Advisory· Published Apr 19, 2019· Updated Nov 15, 2024

CVE-2019-11358

Description

jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

jQuery before 3.4.0 mishandles jQuery.extend(true, {}, ...) allowing Object.prototype pollution via __proto__, affecting Drupal, Backdrop CMS, and others.

Root

Cause

CVE-2019-11358 is a prototype pollution vulnerability in the jQuery JavaScript library, present in versions prior to 3.4.0. The flaw resides in the jQuery.extend(true, {}, ...) function when used to deep-merge objects [1]. Specifically, if an unsanitized source object contains an enumerable __proto__ property, the merge operation can pollute the native Object.prototype [1]. This occurs because the deep-extend logic does not guard against special property names like __proto__.

Attack

Vector

The vulnerability is exploitable via any attacker-controlled input that is passed unsanitized to a deep-extend operation, such as JSON parsing or user-supplied configuration objects [1]. No authentication or privileged network position is required if the application processes untrusted data client-side. Common scenarios include plugins, CMS themes, or web applications that accept serialized data (e.g., via AJAX or WebSocket) and merge it into existing objects.

Impact

By polluting Object.prototype, an attacker can inject properties that affect all objects in the runtime, potentially leading to property injection, unexpected default values, and in downstream code paths, privilege escalation or cross-site scripting (XSS) [1]. In content management systems like Drupal and Backdrop CMS, this could enable an attacker to modify application behavior or bypass security controls.

Remediation

jQuery 3.4.0 and later versions fix the issue by properly handling __proto__ during deep extension [2]. Users are strongly advised to upgrade to jQuery 3.4.0 or higher. For applications where immediate upgrade is not feasible, workarounds include sanitizing input to remove __proto__ keys before passing objects to $.extend().

References

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
jquerynpm	>= 1.1.4, < 3.4.0	3.4.0
jquery-railsRubyGems	< 4.3.4	4.3.4
jQueryNuGet	>= 1.1.4, < 3.4.0	3.4.0
djangoPyPI	>= 2.0a1, < 2.1.9	2.1.9
djangoPyPI	>= 2.2a1, < 2.2.2	2.2.2
org.webjars.npm:jqueryMaven	>= 1.1.4, < 3.4.0	3.4.0
maximebf/debugbarPackagist	< 1.19.0	1.19.0

Affected products

Backdropcms/Backdrop CMSOSV
Range: 1.0, 1.0.1, 1.0.2, …
ghsa-coords17 versions
pkg:composer/maximebf/debugbar pkg:gem/jquery-rails pkg:maven/org.webjars.npm/jquery pkg:npm/jquery pkg:nuget/jquery pkg:pypi/django pkg:rpm/almalinux/custodia pkg:rpm/almalinux/python3-custodia pkg:rpm/almalinux/python3-jwcrypto pkg:rpm/almalinux/python3-kdcproxy pkg:rpm/almalinux/python3-pyusb pkg:rpm/almalinux/python3-qrcode pkg:rpm/almalinux/python3-qrcode-core pkg:rpm/almalinux/python3-yubico pkg:rpm/opensuse/python-notebook&distro=openSUSE%20Leap%2015.6 pkg:rpm/suse/python-Django&distro=SUSE%20Package%20Hub%2015%20SP1 pkg:rpm/suse/python-notebook&distro=SUSE%20Package%20Hub%2015%20SP6
< 1.19.0+ 16 more
- (no CPE)range: < 1.19.0
- (no CPE)range: < 4.3.4
- (no CPE)range: >= 1.1.4, < 3.4.0
- (no CPE)range: >= 1.1.4, < 3.4.0
- (no CPE)range: >= 1.1.4, < 3.4.0
- (no CPE)range: >= 2.0a1, < 2.1.9
- (no CPE)range: < 0.6.0-3.module_el8.6.0+2881+2f24dc92
- (no CPE)range: < 0.6.0-3.module_el8.6.0+2881+2f24dc92
- (no CPE)range: < 0.5.0-1.module_el8.5.0+2641+983b221b
- (no CPE)range: < 0.4-5.module_el8.6.0+2881+2f24dc92
- (no CPE)range: < 1.0.0-9.module_el8.5.0+2641+983b221b
- (no CPE)range: < 5.1-12.module_el8.6.0+2881+2f24dc92
- (no CPE)range: < 5.1-12.module_el8.6.0+2737+7e73ea90
- (no CPE)range: < 1.3.2-9.module_el8.5.0+2641+983b221b
- (no CPE)range: < 5.7.11-bp156.4.3.1
- (no CPE)range: < 2.2.4-bp151.3.3.1
- (no CPE)range: < 5.7.11-bp156.4.3.1

Patches

847216e60544

bump jquery to v3.7.1 (#548)

https://github.com/maximebf/php-debugbarerikn69Aug 18, 2023via ghsa

commit

1 file changed · +2 −2

src/DebugBar/Resources/vendor/jquery/dist/jquery.min.js+2 −2 modified

34ec52269ade

Applied jQuery patch for CVE-2019-11358.

https://github.com/django/djangoCarlton GibsonMay 27, 2019via ghsa

commit

4 files changed · +25 −2

django/contrib/admin/static/admin/js/vendor/jquery/jquery.js+2 −1 modified

@@ -261,8 +261,9 @@ jQuery.extend = jQuery.fn.extend = function() {
 				src = target[ name ];
 				copy = options[ name ];
 
+				// Prevent Object.prototype pollution
 				// Prevent never-ending loop
-				if ( target === copy ) {
+				if ( name === "__proto__" || target === copy ) {
 					continue;
 				}

django/contrib/admin/static/admin/js/vendor/jquery/jquery.min.js+1 −1 modified

docs/releases/2.1.9.txt+11 −0 modified

@@ -19,3 +19,14 @@ payload, could result in an clickable JavaScript link.
 link. You may customise the validator by passing a ``validator_class`` kwarg to
 ``AdminURLFieldWidget.__init__()``, e.g. when using
 :attr:`~django.contrib.admin.ModelAdmin.formfield_overrides`.
+
+Patched bundled jQuery for CVE-2019-11358: Prototype pollution
+--------------------------------------------------------------
+
+jQuery before 3.4.0, mishandles ``jQuery.extend(true, {}, ...)`` because of
+``Object.prototype`` pollution. If an unsanitized source object contained an
+enumerable ``__proto__`` property, it could extend the native
+``Object.prototype``.
+
+The bundled version of jQuery used by the Django admin has been patched to
+allow for the ``select2`` library's use of ``jQuery.extend()``.

docs/releases/2.2.2.txt+11 −0 modified

@@ -20,6 +20,17 @@ link. You may customise the validator by passing a ``validator_class`` kwarg to
 ``AdminURLFieldWidget.__init__()``, e.g. when using
 :attr:`~django.contrib.admin.ModelAdmin.formfield_overrides`.
 
+Patched bundled jQuery for CVE-2019-11358: Prototype pollution
+--------------------------------------------------------------
+
+jQuery before 3.4.0, mishandles ``jQuery.extend(true, {}, ...)`` because of
+``Object.prototype`` pollution. If an unsanitized source object contained an
+enumerable ``__proto__`` property, it could extend the native
+``Object.prototype``.
+
+The bundled version of jQuery used by the Django admin has been patched to
+allow for the ``select2`` library's use of ``jQuery.extend()``.
+
 Bugfixes
 ========

baaf187a4e35

[2.2.x] Applied jQuery patch for CVE-2019-11358.

https://github.com/django/djangoCarlton GibsonMay 27, 2019via ghsa

commit

4 files changed · +25 −2

django/contrib/admin/static/admin/js/vendor/jquery/jquery.js+2 −1 modified

@@ -261,8 +261,9 @@ jQuery.extend = jQuery.fn.extend = function() {
 				src = target[ name ];
 				copy = options[ name ];
 
+				// Prevent Object.prototype pollution
 				// Prevent never-ending loop
-				if ( target === copy ) {
+				if ( name === "__proto__" || target === copy ) {
 					continue;
 				}

django/contrib/admin/static/admin/js/vendor/jquery/jquery.min.js+1 −1 modified

docs/releases/2.1.9.txt+11 −0 modified

@@ -19,3 +19,14 @@ payload, could result in an clickable JavaScript link.
 link. You may customise the validator by passing a ``validator_class`` kwarg to
 ``AdminURLFieldWidget.__init__()``, e.g. when using
 :attr:`~django.contrib.admin.ModelAdmin.formfield_overrides`.
+
+Patched bundled jQuery for CVE-2019-11358: Prototype pollution
+--------------------------------------------------------------
+
+jQuery before 3.4.0, mishandles ``jQuery.extend(true, {}, ...)`` because of
+``Object.prototype`` pollution. If an unsanitized source object contained an
+enumerable ``__proto__`` property, it could extend the native
+``Object.prototype``.
+
+The bundled version of jQuery used by the Django admin has been patched to
+allow for the ``select2`` library's use of ``jQuery.extend()``.

docs/releases/2.2.2.txt+11 −0 modified

@@ -20,6 +20,17 @@ link. You may customise the validator by passing a ``validator_class`` kwarg to
 ``AdminURLFieldWidget.__init__()``, e.g. when using
 :attr:`~django.contrib.admin.ModelAdmin.formfield_overrides`.
 
+Patched bundled jQuery for CVE-2019-11358: Prototype pollution
+--------------------------------------------------------------
+
+jQuery before 3.4.0, mishandles ``jQuery.extend(true, {}, ...)`` because of
+``Object.prototype`` pollution. If an unsanitized source object contained an
+enumerable ``__proto__`` property, it could extend the native
+``Object.prototype``.
+
+The bundled version of jQuery used by the Django admin has been patched to
+allow for the ``select2`` library's use of ``jQuery.extend()``.
+
 Bugfixes
 ========

95649bc08547

[2.1.x] Applied jQuery patch for CVE-2019-11358.

https://github.com/django/djangoCarlton GibsonMay 27, 2019via ghsa

commit

3 files changed · +14 −2

django/contrib/admin/static/admin/js/vendor/jquery/jquery.js+2 −1 modified

@@ -261,8 +261,9 @@ jQuery.extend = jQuery.fn.extend = function() {
 				src = target[ name ];
 				copy = options[ name ];
 
+				// Prevent Object.prototype pollution
 				// Prevent never-ending loop
-				if ( target === copy ) {
+				if ( name === "__proto__" || target === copy ) {
 					continue;
 				}

django/contrib/admin/static/admin/js/vendor/jquery/jquery.min.js+1 −1 modified

docs/releases/2.1.9.txt+11 −0 modified

@@ -19,3 +19,14 @@ payload, could result in an clickable JavaScript link.
 link. You may customise the validator by passing a ``validator_class`` kwarg to
 ``AdminURLFieldWidget.__init__()``, e.g. when using
 :attr:`~django.contrib.admin.ModelAdmin.formfield_overrides`.
+
+Patched bundled jQuery for CVE-2019-11358: Prototype pollution
+--------------------------------------------------------------
+
+jQuery before 3.4.0, mishandles ``jQuery.extend(true, {}, ...)`` because of
+``Object.prototype`` pollution. If an unsanitized source object contained an
+enumerable ``__proto__`` property, it could extend the native
+``Object.prototype``.
+
+The bundled version of jQuery used by the Django admin has been patched to
+allow for the ``select2`` library's use of ``jQuery.extend()``.

753d591aea69

Core: Prevent Object.prototype pollution for $.extend( true, ... )

https://github.com/jquery/jqueryMichał Gołębiowski-OwczarekMar 25, 2019via ghsa

commit

2 files changed · +9 −1

src/core.js+2 −1 modified

@@ -158,8 +158,9 @@ jQuery.extend = jQuery.fn.extend = function() {
 			for ( name in options ) {
 				copy = options[ name ];
 
+				// Prevent Object.prototype pollution
 				// Prevent never-ending loop
-				if ( target === copy ) {
+				if ( name === "__proto__" || target === copy ) {
 					continue;
 				}

test/unit/core.js+7 −0 modified

@@ -1062,6 +1062,13 @@ QUnit.test( "jQuery.extend(true,{},{a:[], o:{}}); deep copy with array, followed
 	assert.ok( !Array.isArray( result.object ), "result.object wasn't paved with an empty array" );
 } );
 
+QUnit.test( "jQuery.extend( true, ... ) Object.prototype pollution", function( assert ) {
+	assert.expect( 1 );
+
+	jQuery.extend( true, {}, JSON.parse( "{\"__proto__\": {\"devMode\": true}}" ) );
+	assert.ok( !( "devMode" in {} ), "Object.prototype not polluted" );
+} );
+
 QUnit.test( "jQuery.each(Object,Function)", function( assert ) {
 	assert.expect( 23 );

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

119

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.003
exploit	0.030
kev	0.000
patch	-0.070
ransomware	0.000