CVE-2019-20922

NameCVE-2019-20922
DescriptionHandlebars before 4.4.5 allows Regular Expression Denial of Service (ReDoS) because of eager matching. The parser may be forced into an endless loop while processing crafted templates. This may allow attackers to exhaust system resources.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severityhigh

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libjs-handlebars (PTS)stretch3:4.0.5-4fixed
node-handlebars (PTS)buster3:4.1.0-1+deb10u3fixed
bookworm, sid, bullseye3:4.7.6+~4.1.0-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libjs-handlebarssource(unstable)(not affected)
node-handlebarssource(unstable)(not affected)

Notes

- node-handlebars <not-affected> (Introduced in 4.4.4 and fixed in 4.4.5, no vulnerable version uploaded)
- libjs-handlebars <not-affected> (Introduced in 4.4.4 and fixed in 4.4.5, no vulnerable version uploaded)
https://github.com/handlebars-lang/handlebars.js/issues/1579
https://github.com/handlebars-lang/handlebars.js/commit/8d5530ee2c3ea9f0aee3fde310b9f36887d00b8b
https://snyk.io/vuln/SNYK-JS-HANDLEBARS-480388
https://www.npmjs.com/advisories/1300

Search for package or bug name: Reporting problems