Free Tool

Free Vulnerable JavaScript Libraries Checker

Check whether a website loads front end JavaScript libraries with publicly known security vulnerabilities, with the detected version and advisory for each one.

Free and instant. No account or signup needed.

Why outdated front end libraries are a real risk

Front end JavaScript libraries such as jQuery, Lodash, Moment, and Angular ship to every visitor who loads your page. That is the whole point of them, and it is also where the risk comes from. When a vulnerability is published for a specific version range, the affected code is already sitting in your visitors' browsers, and the version you serve is plainly readable from the page. An attacker does not need to guess. They can match your version to a published advisory and reuse a working exploit against your users.

These issues are not theoretical. Every version of jQuery before 3.5.0 is affected by the htmlPrefilter cross site scripting flaws tracked as CVE-2020-11022 and CVE-2020-11023, where HTML passed to methods like .html() or .append() can execute attacker controlled code even after it looks sanitized. Lodash before 4.17.12 carries the prototype pollution flaw CVE-2019-10744, where a crafted payload reaches Object.prototype and quietly changes behavior across the whole application. Both are trivial to weaponize once an attacker confirms the version you are running.

How to fix vulnerable JavaScript libraries

Start by updating each flagged library to a current release that sits past the affected range, then confirm nothing in your code relied on the old behavior. Remove libraries you no longer use, since a dependency that is loaded but never called is still attack surface that ships to every browser. Pin exact versions in your build so a known good file is served every time rather than whatever a loose range happens to resolve to. For any library you load from a public CDN, add a Subresource Integrity hash so the browser refuses to run a file that has been altered, which protects you even if the CDN itself is compromised.

SiteSecurityScore detects these libraries from the live page in seconds, reports the exact version it found, and points you at the advisory so you know what you are fixing and why. Run the check above, then use the security headers checker to tighten the rest of your front end defenses.

Frequently asked questions

What is a vulnerable JavaScript libraries checker?

It is a tool that reads the front end JavaScript a website loads, identifies libraries like jQuery, Lodash, Moment, or Angular, and flags any running a version with a publicly known security vulnerability. SiteSecurityScore checks this live by scanning the URL you enter.

Why is an outdated jQuery or Lodash version a real risk?

Known issues map to a specific version range, and the version you serve is readable straight from the page. For example jQuery before 3.5.0 is affected by the htmlPrefilter cross site scripting flaws CVE-2020-11022 and CVE-2020-11023, and Lodash before 4.17.12 is affected by the prototype pollution flaw CVE-2019-10744. An attacker can match your version to a published advisory and reuse a working exploit.

How do I fix a vulnerable JavaScript library?

Update the library to a current release that is past the affected range, remove libraries you no longer use, and pin exact versions so a known good build ships every time. For libraries you load from a public CDN, add a Subresource Integrity hash so the browser rejects a file that has been tampered with.

Does this checker read my source code or run exploits?

No. SiteSecurityScore looks only at the live page the way any visitor's browser would, identifies the library versions that are actually served, and reports them. It does not read your repository and it does not attempt any active exploitation.

Does this checker scan a live site?

Yes. Enter a URL and SiteSecurityScore fetches the live page, detects the front end libraries and their versions, and reports any with known vulnerabilities in seconds. No account or signup is required.

Related tools

Security Headers CheckerMixed Content CheckerAll comparisons

Check every layer in one scan

This checker covers one piece. Run a full SiteSecurityScore scan for your security headers, CSP, TLS, DNS, and cookies with a letter grade and copy and paste fixes. No account required.

Run a full scan