Vulnerability Description
Handlebars before 4.4.5 allows Regular Expression Denial of Service (ReDoS) because of eager matching. The parser may be forced into an endless loop while processing crafted templates. This may allow attackers to exhaust system resources.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Handlebarsjs | Handlebars | >= 4.0.0, < 4.4.5 |
Related Weaknesses (CWE)
References
- https://github.com/handlebars-lang/handlebars.js/commit/8d5530ee2c3ea9f0aee3fde3PatchThird Party Advisory
- https://snyk.io/vuln/SNYK-JS-HANDLEBARS-480388Third Party Advisory
- https://www.npmjs.com/advisories/1300Third Party Advisory
- https://github.com/handlebars-lang/handlebars.js/commit/8d5530ee2c3ea9f0aee3fde3PatchThird Party Advisory
- https://snyk.io/vuln/SNYK-JS-HANDLEBARS-480388Third Party Advisory
- https://www.npmjs.com/advisories/1300Third Party Advisory
FAQ
What is CVE-2019-20922?
CVE-2019-20922 is a vulnerability with a CVSS score of 7.5 (HIGH). Handlebars before 4.4.5 allows Regular Expression Denial of Service (ReDoS) because of eager matching. The parser may be forced into an endless loop while processing crafted templates. This may allow ...
How severe is CVE-2019-20922?
CVE-2019-20922 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2019-20922?
Check the references section above for vendor advisories and patch information. Affected products include: Handlebarsjs Handlebars.