GHSA-ffmh-x56j-9rc3 · Severity: high · Ecosystem: npm — jquery-validation Regular Expression Denial of Service due to arbitrary input to url2 method
The jQuery Validation Plugin (jquery-validation) provides drop-in validation for forms. Versions of jquery-validation prior to 1.19.5 are vulnerable to regular expression denial of service (ReDoS) when an attacker is able to supply arbitrary input to the url2 method. This is due to an incomplete fix for CVE-2021-43306. Users should upgrade to version 1.19.5 to receive a patch.
Conclusion & alert: CVE-2022-31147 is rated Moderate Risk (55.3/100): CVSS High severity, with medium exploitation likelihood (EPSS 1.56%). Mandatory action: Review affected assets and schedule remediation.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-19 | 1.50% | 1.56% | +0.06% |
| 2 | 2026-06-15 | 0.32% | 1.50% | +1.18% |
| 3 | 2026-03-04 | — | 0.32% | — |
Full EPSS history (41 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 7.5 | 3.1 | HIGH |
|
3.9 | 3.6 | [email protected] |
| 7.5 | 3.1 | HIGH |
|
3.9 | 3.6 | [email protected] |
GHSA-ffmh-x56j-9rc3 · Severity: high · Ecosystem: npm — jquery-validation Regular Expression Denial of Service due to arbitrary input to url2 method
| vendor | priority | summary | link |
|---|---|---|---|
debian
|
unimportant | CVE-2022-31147 unimportant priority: Debian including 1 source packages (node-jquery-validation), 2 status rows across 2 suites (forky, sid): resolved 2. | https://security-tracker.debian.org/tracker/CVE-2022-31147 |
ubuntu
|
medium | CVE-2022-31147 medium priority: Ubuntu including 3 source packages (civicrm, jquery, node-jquery), 40 status rows across 14 suites (bionic, focal, impish, jammy, kinetic, lunar, mantic, noble, oracular, plucky, questing, trusty, upstream, xenial): not-affected 18, DNE 15, needs-triage 5, ignored 2. | https://ubuntu.com/security/CVE-2022-31147 |
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| jqueryvalidation | jquery_validation | < 1.19.5 | cpe:2.3:a:jqueryvalidation:jquery_validation:*:*:*:*:*:node.js:*:* |
| URL | Tags |
|---|---|
| https://github.com/jquery-validation/jquery-validation/commit/5bbd80d27fc6b607d2f7f106c89522051a9fb0dd | Patch Third Party Advisory |
| https://github.com/jquery-validation/jquery-validation/releases/tag/1.19.5 | Release Notes Third Party Advisory |
| https://github.com/jquery-validation/jquery-validation/security/advisories/GHSA-ffmh-x56j-9rc3 | Third Party Advisory |