PT-2019-4634 · Handlebars · Handlebars

Published

2019-12-20

Updated

2022-06-03

CVE-2019-19919

CVSS v2.0

Critical

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions handlebars versions prior to 4.3.0 handlebars versions prior to 3.0.8

Description The issue allows an attacker to execute arbitrary code through crafted payloads by altering an Object's proto and defineGetter properties. This is due to the lack of measures to neutralize special elements in the Handlebars templating engine. Templates may modify these properties, potentially leading to Remote Code Execution.

Recommendations For handlebars versions prior to 3.0.8, upgrade to version 3.0.8 or later. For handlebars versions prior to 4.3.0, upgrade to version 4.3.0 or later.

Exploit

Fix

RCE

Special Elements Injection

Prototype Pollution

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-74CWE-1321

Related Identifiers

BDU:2020-00795

CVE-2019-19919

GHSA-W457-6Q6X-CGP9

Affected Products

Handlebars

PT-2019-4634 · Handlebars · Handlebars

CVE-2019-19919

Weakness Enumeration

Related Identifiers

Affected Products

References · 23