DescriptionThe jQuery Validation Plugin provides drop-in validation for your existing forms. It is published as an npm package "jquery-validation". jquery-validation before version 1.19.3 contains one or more regular expressions that are vulnerable to ReDoS (Regular Expression Denial of Service). This is fixed in 1.19.3.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium
Debian Bugs980891, 980892

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
civicrm (PTS)bullseye, sid5.33.2+dfsg1-1vulnerable
otrs2 (PTS)buster/non-free6.0.16-2vulnerable
bullseye/non-free, sid/non-free6.0.32-4fixed
stretch/non-free (security), stretch/non-free5.0.16-1+deb9u6vulnerable
phpmyadmin (PTS)stretch4:4.6.6-4+deb9u1vulnerable
stretch (security)4:4.6.6-4+deb9u2vulnerable
bullseye, sid4:5.0.4+dfsg2-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs


[bullseye] - civicrm <no-dsa> (Minor issue)
[buster] - otrs2 <ignored> (Non-free not supported)
[stretch] - otrs2 <ignored> (Non-free not supported)
[stretch] - phpmyadmin <no-dsa> (Minor issue; barely an issue in the phpmyadmin package)
not packaged, but civicrm, otrs2, and phpmyadmin embed a copy

Search for package or bug name: Reporting problems