The version of jQuery UI bundled in https://github.com/rstudio/shiny/tree/main/inst/www/shared/jqueryui is 1.13.2.

According to Sonatype, this version is vulnerable to prototype pollution (SONATYPE-2024-011918):

The $.widget() function in widget.js does not properly check if the name parameter contains a risky JavaScript accessor such as proto or constructor when creating a new widget. An attacker can exploit this vulnerability by providing a crafted name to override the original JavaScript prototype and therefore values of objects used by the application. This may result in arbitrary code execution, data corruption, or application crashes.

This was fixed in jQuery UI 1.14.1: https://jqueryui.com/changelog/1.14.1/#widget-factory.

To be clear, a) I have on idea what shiny uses jQuery UI for, and b) I suspect the probablility that this is exploitable via shiny to be very low. However, it's probably good to keep these dependencies up-to-date anyway.

I authored the PR a couple of years ago that updated jQuery-UI at the time to 1.13.2; I'm happy to do this again if that would be helpful?

There's an equivalent issue over at py-shiny, posit-dev/py-shiny#1786.

Thanks.