Affected versions of jquery use a lowercasing logic on attribute names. When given a boolean attribute with a name that contains uppercase characters, jquery enters into an infinite recursion loop, exceeding the call stack limit, and resulting in a denial of service condition.
Recommendation
Update to version 3.0.0 or later.
References
- https://nvd.nist.gov/vuln/detail/CVE-2016-10707
- https://github.com/jquery/jquery/issues/3133
- https://github.com/advisories/GHSA-mhpp-875w-9cpv
- https://www.npmjs.com/advisories/330
- https://github.com/jquery/jquery/pull/3134
- https://snyk.io/vuln/npm:jquery:20160529
- https://github.com/jquery/jquery/issues/3133#issuecomment-358978489