CVE-2025-3573: 
JavaScript vulnerability analysis and mitigation

A Cross-site Scripting (XSS) vulnerability was discovered in jquery-validation package versions before 1.20.0 (CVE-2025-3573). The vulnerability exists in the showLabel() function, which may take input from a user-controlled placeholder value that populates messages via $.validator.messages in a user localizable dictionary. The vulnerability was disclosed on October 9, 2023 and published on April 14, 2025 (Snyk DB).

The vulnerability occurs in the showLabel() function where user input is not properly sanitized before being rendered as HTML. The function uses .html() to set label content, which can execute malicious scripts if the messages are originating from a user localizable dictionary or if the message contains format placeholders with user input. The vulnerability has been assigned a CVSS v4.0 base score of 5.3 (Medium) with vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N (Snyk DB).

If exploited, this vulnerability could allow attackers to execute arbitrary JavaScript code in the context of the victim's browser through Cross-site Scripting attacks. This could potentially lead to session hijacking, cookie theft, or other malicious actions performed in the context of the affected user's session (Snyk DB).

The vulnerability has been fixed in jquery-validation version 1.20.0. Users should upgrade to this version or later. Additionally, when using version 1.20.0 or higher, the 'escapeHtml' option must be explicitly set to true in the jquery-validation configuration to enable the fix (GitHub PR, Snyk DB).

The security community has actively discussed this vulnerability, with particular focus on the importance of enabling the escapeHtml option after upgrading. Several developers have raised questions about the fix's implementation and its opt-in nature, leading to discussions about backward compatibility versus security by default (GitHub PR).