Login Sign Up

CVE-2022-31147

7.5 HIGH
Denial of Service

📋 TL;DR

The jQuery Validation Plugin versions before 1.19.5 contain a regular expression denial of service (ReDoS) vulnerability in the url2 method. Attackers can cause excessive CPU consumption and service disruption by submitting specially crafted URLs. This affects any web application using vulnerable versions of the plugin for form validation.

💻 Affected Systems

Products:
  • jQuery Validation Plugin (jquery-validation)
Versions: All versions before 1.19.5
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects applications using the url2 method for URL validation. The vulnerability is in the client-side JavaScript library.

📦 What is this software?

Jquery Validation by Jqueryvalidation

View all CVEs affecting Jquery Validation →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service unavailability due to CPU exhaustion, potentially affecting all users of the application.

🟠

Likely Case

Degraded performance and intermittent service disruptions for users submitting forms with URL validation.

🟢

If Mitigated

Minimal impact with proper input validation and rate limiting in place.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires the attacker to submit malicious input to the vulnerable url2 method. The advisory includes technical details that could be used to create exploits.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.19.5

Vendor Advisory: https://github.com/jquery-validation/jquery-validation/security/advisories/GHSA-ffmh-x56j-9rc3

Restart Required: No

Instructions:

1. Update the jquery-validation dependency to version 1.19.5 or later. 2. Replace the vulnerable library file with the patched version. 3. Clear browser caches to ensure clients load the updated version.

🔧 Temporary Workarounds

Disable URL validation

all

Remove or disable the url2 validation method from forms

Modify form validation rules to exclude url2 validation

Implement server-side validation

all

Add server-side validation for URLs to complement client-side validation

Implement URL validation in backend code before processing

🧯 If You Can't Patch

  • Implement rate limiting on form submissions to prevent DoS attacks
  • Deploy WAF rules to detect and block malicious URL patterns

🔍 How to Verify

Check if Vulnerable:

Check the version of jquery-validation.js in your web application. Versions below 1.19.5 are vulnerable.

Check Version:

grep -r 'jquery-validation' package.json || find . -name '*jquery-validation*' -exec grep -l 'version' {} \;

Verify Fix Applied:

Verify that jquery-validation version is 1.19.5 or higher in your application's dependencies and loaded files.

📡 Detection & Monitoring

Log Indicators:

  • Multiple failed form submissions with unusual URL patterns
  • High CPU usage spikes coinciding with form submissions

Network Indicators:

  • Unusually long URL parameters in POST requests to forms
  • Repeated form submissions with similar URL patterns

SIEM Query:

source="web_logs" AND (url="*url2*" OR form_data="*url2*") AND status=400

📊 Metadata

CVE ID: CVE-2022-31147
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-1333
Published: July 14, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-31147, you might also want to check these:

CVE-2023-29487 9.1

This CVE describes a denial-of-service vulnerability in Heimdal Thor agent's Threat To Process Corre...

Same vulnerability type (CWE-1333)
CVE-2025-62484 8.1

A regular expression complexity vulnerability in Zoom Workplace Clients allows unauthenticated attac...

Same vulnerability type (CWE-1333)
CVE-2024-4148 7.5

A Regular Expression Denial of Service (ReDoS) vulnerability in lunary-ai/lunary version 1.2.10 allo...

Same vulnerability type (CWE-1333)