Skip to main content

Vulnerable JS Libraries.

Security Client-Side Security

Outdated JavaScript libraries with known CVEs can be exploited remotely

What does this check test?

This check identifies JavaScript libraries loaded on the page that have known security vulnerabilities (CVEs). It examines `<script>` tags, bundled JavaScript files, and global variables to detect library versions and cross-references them against vulnerability databases like the National Vulnerability Database (NVD) and Snyk's vulnerability DB. Common culprits include outdated versions of jQuery, Lodash, Angular, Bootstrap, Moment.js, and other widely-used client-side libraries.

Why does it matter?

Client-side JavaScript runs in the user's browser with full access to the page DOM, cookies (unless HttpOnly), and any data displayed on the page. A vulnerable library can be exploited to achieve cross-site scripting (XSS), prototype pollution, regular expression denial of service (ReDoS), or other attacks. For example, jQuery versions before 3.5.0 are vulnerable to XSS via `jQuery.htmlPrefilter`. Prototype pollution in Lodash versions before 4.17.12 can lead to property injection and potentially remote code execution in certain contexts.

Who is affected?

Every web application that includes client-side JavaScript libraries should be checked for known vulnerabilities. This is especially critical for applications that handle user authentication, financial data, or personal information. Sites using legacy libraries that are no longer maintained (e.g., jQuery UI, Backbone.js) face accumulated risk because vulnerabilities are no longer patched. SPAs that bundle dozens of dependencies are more likely to include a vulnerable transitive dependency.

Where does this apply?

Examine the JavaScript files loaded in the browser's Sources panel or Network tab. Check `package.json` and `package-lock.json` for pinned versions. Use browser extensions like Retire.js or Wappalyzer to detect client-side libraries and their versions. CI/CD pipelines should include `npm audit` or `yarn audit` to catch vulnerabilities before deployment.

How to fix it

Audit and update vulnerable libraries:
bash 
# Check for known vulnerabilities in your project
npm audit

# Fix automatically where possible
npm audit fix

# For major version updates that may have breaking changes
npm audit fix --force

# Or use yarn
yarn audit

libraries loaded via CDN, update the version in your HTML

html 
<!-- Bad: Old vulnerable jQuery -->
<script src="https://cdn.jsdelivr.net/npm/jquery@3.4.1/dist/jquery.min.js"></script>

<!-- Good: Updated version with SRI -->
<script src="https://cdn.jsdelivr.net/npm/jquery@3.7.1/dist/jquery.min.js"
        integrity="sha256-/JqT3SQfawRcv/BIHPThkBvs0OEvtFFmqPF/lYI/Cxo="
        crossorigin="anonymous"></script>
Set up automated dependency scanning with Dependabot, Snyk, or Renovate to receive alerts when new vulnerabilities are discovered in your dependencies.

References

AppVet checks Vulnerable JS Libraries automatically

Run a free security scan and get a full report with actionable fixes, including a Fix with AI prompt you can paste into any coding tool.

Run Audit
← All checks