CVE-2019-11358 Explained: Azure Linux Attestations and jQuery Prototype Pollution

Microsoft’s brief public attestation that “Azure Linux includes this open‑source library and is therefore potentially affected” is accurate for the product named, but it is not a categorical guarantee that no other Microsoft product contains the same vulnerable jQuery code — nor is it a technical proof that other Microsoft artifacts are safe.

Background / Overview​

CVE‑2019‑11358 is a prototype‑pollution vulnerability in jQuery that was fixed in jQuery 3.4.0. The bug arises when the deep‑merge function jQuery.extend(true, target, source) is given an untrusted source object that contains an enumerable proto property; during the recursive merge, the library can be tricked into modifying Object.prototype and thereby polluting the prototype available to all JavaScript objects on a page. This can cause unexpected behavior, denial of service, or help an attacker craft further client‑side attacks.
The vulnerability affects jQuery releases older than 3.4.0 (the vulnerable range is generally reported as >=1.1.4 and .4.0). The security community documented proof‑of‑concept exploitation scenarios and recommended immediate upgrades to jQuery 3.4.0+ or sanitization workarounds where upgrading wasn’t possible.
Microsoft’s Security Response Center (MSRC) has used the Vulnerability Exploitability eXchange (VEX) / CSAF format to publish product‑level attestations for third‑party CVEs, beginning publicly with Azure Linux in October 2025. In its advisory language Microsoft explicitly calls out Azure Linux (the distro lineage formerly known as CBL‑Mariner) as a product that “includes this open‑source library and is therefore potentially affected,” and says it will update the CVE/VEX mapping if additional Microsoft products are identified as carriers of the component.

---

What the vulnerability actually does (technical summary)​

How prototype pollution works in practice​

• JavaScript objects inherit properties from their prototypes; modifying Object.prototype changes the baseline set of properties and behavior for nearly every object.
• In jQuery versions prior to 3.4.0, the deep merging logic of jQuery.extend(true, …) failed to stop a specially crafted source object from setting the proto key. When that key is merged into a target, the prototype chain for objects can be modified.
• An attacker who can supply JSON or structured input that winds up being merged with a page’s object graph can inject properties that then influence logic elsewhere in the page or in included scripts, opening paths for logic manipulation, data leakage, client errors, or further injection chains.

A practical exploitation vector​

A practical exploit requires:

• A JavaScript execution context where jQuery.extend(true, …) is called on attacker‑controlled or insufficiently sanitized data.
• The ability to submit JSON or form data that becomes the source argument.
• Client‑side reliance on object properties that an attacker can pollute to change control flow or data.

Because the weakness is in a general utility function rather than a single web endpoint, the vulnerability’s impact depends heavily on how each application uses jQuery — which is why product‑level attestations matter for defenders.

---

What Microsoft said — and what that wording means​

Microsoft’s public CVE mapping for some third‑party issues has used a consistent sentence for Azure Linux: “Azure Linux includes this open‑source library and is therefore potentially affected.” That sentence is an inventory attestation: Microsoft is telling customers which of its named products the company has completed an internal inventory for and found to contain the upstream component mapped to the CVE. The statement is narrow by design — it reports the result of an artifact inventory for the named product, not a blanket claim about every Microsoft product or image.
Security analysts and community researchers have repeatedly pointed out the operational meaning of such attestations: they are helpful and authoritative for the product named, but absence of an attestation for other Microsoft products is not the same as a negative attestation. In other words, Microsoft saying Azure Linux includes the component means it has checked that product; it does not prove that other Microsoft artifacts do not contain the same vulnerable upstream code.

---

Is Azure Linux the only Microsoft product that includes the vulnerable jQuery?​

Short answer: No — Azure Linux is the only Microsoft product Microsoft has publicly attested (via its VEX/CSAF entries) to include that particular upstream component for this CVE so far, but that statement should not be read as definitive proof that no other Microsoft product or artifact contains a vulnerable jQuery copy. The attestation is a snapshot of Microsoft’s inventory work for Azure Linux, accompanied by a pledge to update mappings if further products are found to carry the component.
Longer answer and context:

• Microsoft’s product‑scoped VEX entries are an important transparency improvement because they say, unequivocally, which named Microsoft product images ship a given upstream package or source tree and are thus “potentially affected.” That helps Azure Linux customers immediately know whether they need to act.
• However, large organizations (Microsoft included) ship thousands of artifacts: cloud service UI code, management portals, web consoles, developer tooling, installers, and product web UIs. Many of those artifacts — especially web interfaces and developer samples — have historically included or referenced jQuery in one form or another. Microsoft’s own developer pages and sample projects document jQuery as a dependency option (for example, SharePoint Framework projects anrtals can and do include jQuery as a developer dependency). That means the possibility that other Microsoft artifacts carried a vulnerable jQuery at some point is real, even if Microsoft has not named them in a VEX entry.
• For defenders, the operational takeaway is this: treat Microsoft’s attestation as authoritative for Azure Linux, but don’t stop there. Conduct an inventory of deployed Microsoft artifacts inside your environment (SharePoint customizations, on‑premises product consoles, management portals, Azure Marketplace images, internal web apps) and scan for bundled jQuery versions. Microsoft has said it will update CVE mappings if more products are found to contain the component, but independent verification by customers and third‑party tooling remains essential.

---

Evidence and cross‑checks​

Key, independently verifiable facts and the sources used to validate them:

• Affected jQuery versions and the vulnerability mechanics: multiple security databases and vulnerability trackers (Snyk, Amazon Linux ALAS/NVD copies, and others) confirm the issue is resolved by upgrading to jQuery 3.4.0 or later and that the problem stems from deep merging/proto handling.
• Microsoft’s product‑level attestation practice: MSRC publicly documented the VEX/CSAF publishing approach and explicitly started publishing product attestations for Azure Linux in October 2025 as part of a transparency push. The MSRC blog and subsequent CVE entries used the phrasing confirming Azure Linux includes implicated components and that mappings will be updated if other products are found to ship the component.
• Examples showing how Microsoft artifact families can and do reference jQuery: documentation and sample code for SharePoint Framework (SPFx) and earlier Azure open‑source portal projects show jQuery is a common, supported dependency for web part and portal code; that demonstrates how other Microsoft product‑adjacent artifacts can plausibly contain jQuery. This does not prove any specific Microsoft product shipped the vulnerable version, but it underscores why product‑scoped attestations cannot be interpreted as complete company‑wide negatives.

If Microsoft subsequently identifies additional Microsoft artifacts that ship the vulnerable jQuery, the MSRC CVE entries will be updated to reflect that mapping; until then, Azure Linux is the one product Microsoft has publicly inventory‑attested.

---

Risk assessment — who should worry and why​

• Azure Linux customers: High priority. If you run images or workloads based on Azure Linux, Microsoft has already flagged the product as a carrier and therefore potentially affected; you should follow Microsoft’s mitigation guidance for that product.
• Customers running Microsoft web products or on‑premises servers with web UIs (SharePoint customizations, management consoles, on‑premises web‑based admin panels): Medium to high priority. These components frequently rely on libraries like jQuery (sometimes bundled into shipped pages or included via web resource packs), so scanning for embedded jQuery versions and applying mitigations is necessary.
• Third‑party integrators and partners: Medium priority. Many third‑party solutions integrate with Microsoft products and can bring their own frontend libraries; these should be included in SBOMs and inventory checks.
• Cloud tenants using custom web apps deployed on Microsoft platforms: Variable. If your own apps use older jQuery versions, they remain directly exposed independently of Microsoft’s product attestations.

In short: treat the MSRC attestation as actionable intel for Azure Linux, but assume plausible exposure elsewhere until you confirm otherwise through scanning and artifact inventories.

---

Practical mitigation checklist (for administrators and developers)​

If you manage systems that consume Microsoft images or host Microsoft web applications, use the following sequential steps:

• Inventory: Build an inventory of deployed Microsoft artifacts in your environment (images, management consoles, web UIs, SharePoint customizations, Azure Marketplace images).
• Detect: Scan files and bundles for jQuery copies and record their version strings. Look at minified headers and the jQuery.fn.jquery property where possible.
• Prioritize: Flag any copies with versions < 3.4.0 as immediate high priority.
• Patch/Upgrade: Where feasible, upgrade embedded jQuery to 3.4.0+ or apply vendor fixes. For Azure Linux customers, follow Microsoft’s distribution‑level advisories and updates.
• Sanitize: If upgrade is not immediately possible, sanitize any untrusted JSON or inputs before they reach jQuery.extend(true, …) calls. Removing enumerable proto properties before merges is a known temporary mitigation. ([vulert.com](CVE-2019-11358: XSS in jQuery as used in Drupal, Backdrop CMS, and other products: Apply Content Security Policy (CSP) and other browser hardening measures to reduce exploitation risk for client‑side attacks.
• SBOMs and SBOM consumption: Request or generate Software Bill of Materials (SBOMs) for vendor images and components, and feed those SBOMs into your vulnerability management tooling so you can automatically map CVEs to artifacts.
• Monitoring: Add detections for indicators of prototype pollution exploitation (unexpected JS exceptions, anomalous client‑side behavior) and instrument log collection for administrative UI activity.
• Follow vendor VEX updates: Watch MSRC’s VEX/CSAF entries for additions to the prod committed to updating mappings if other products are found to ship a vulnerable component.t — supply‑chain and disclosure recommendations (analysis and critique)

Microsoft’s move to publish machine‑readable VEX/CSAF attestations for Azure Linux is a material step forward for transparency. Publishing product‑level inventory statements helps reduce ambiguity and enables automated tooling to make more informed decisions. That is an important strength of the current approach.
At the same time, defenders should be aware of possible gaps:

• Product vs. artifact scope: Publishing attestations for named products is useful, but modern development produces many artifacts beyond products — hosted web UIs, admin consoles, Marketplace images, development samples, and microservices. A single upstream library can appear in many of those artifacts without the product name being updated. Microsoft’s language acknowledges that additional mappings will be added if found, but the cadence and breadth of artifact inventorying determine how quickly customers can be sure they are not exposed.
• Timeliness and automation: The faster an organization can produce SBOMs and publish attestations per artifact, the less room attackers have to exploit uncertainty. Microsoft’s VEX program is a major improvement, but defenders will benefit further if per‑artifact SBOMs and attestations (not just per product) become standard.
• External verification: Organizations should retain independent scanning and SBOM comparison since vendor attestations — while authoritative — are naturally scoped to what was inventoried. Public attestations reduce the work for defenders but do not eliminate the need for independent verification.

---

What defenders should not assume​

• Do not assume that absence of a Microsoft VEX entry for a particular product means that product is not affected. The absence may simply mean the company has not completed or published an inventory mapping for that artifact yet.
• Do not assume that all uses of jQuery are exploitable: exploitation requires a specific usage pattern (untrusted data reaching jQuery.extend(true, …)). That said, any embedded jQuery prior to 3.4.0 should be treated as potentially risky until you verify usage patterns and sanitize or upgrade.

---

Example investigations — where to look inside Microsoft ecosystems​

• SharePoint customizations and SPFx web parts: SPFx explicitly supports adding jQuery as a depen parts or legacy JSLink scripts may bundle older jQuery versions into pages. Check tenant‑level app catalogs and deployed script packages.
• On‑premises product web UIs (management consoles, admin portals): Many on‑premises Microsoft server products include UI web resources that can be customized or augmented; check those resource packs for embedded JS libraries.
• Azure Marketplace images and tooling images: Marketplace images often bundle web admin tools or sample apps. If those images are based on distros carrying vulnerable upstream packages, there may be exposure.
• Internal and open‑source Microsoft projects: Microsoft’s own OSS projects or internal admin portals sometimes include jQuery for backward compatibility; search repo histories and package manifests where available.

---

Conclusion and actionable summary​

• CVE‑2019‑11358 is a prototype‑pollution vulnerability fixed in jQuery 3.4.0; it stems from jQuery.extend’s handling of proto and affects versions before 3.4.0.
• Microsoft has publicly attested that Azure Linux includes the implicated open‑source component and is therefore potentially affected; that attestation is product‑scoped and authoritative for Azure Linux, and Microsoft has pledged to update mappings if other products are found to ship the component.
• However, the attestation does not prove Azure Linux is the only Microsoft product that could contain the vulnerable jQuery code. Many Microsoft artifacts and developer scenarios may use jQuery, so independent inventorying and scanning remain essential.
• Immediate action checklist for defenders: inventory artifacts, scan for jQuery < 3.4.0, prioritize upgrades or sanitization, apply CSP and browser hardening, request or produce SBOMs, and monitor MSRC VEX updates.

Microsoft’s move to publish machine‑readable VEX attestations is a step in the right direction — it makes targeted mitigation faster for customers named in the attestations. To close the remaining transparency gap, defenders should treat those attestations as a starting point and continue to exercise artifact‑level diligence across environments.

---

---

Source: MSRC Security Update Guide - Microsoft Security Response Center