Prototype Pollution in handlebars
Critical severity GitHub Reviewed PublishedDec 26, 2019 to the GitHub Advisory Database • UpdatedFeb 12, 2025
Description
Versions ofhandlebars prior to 3.0.8 or 4.3.0 are vulnerable to Prototype Pollution leading to Remote Code Execution. Templates may alter an Objects'__proto__ and__defineGetter__ properties, which may allow an attacker to execute arbitrary code through crafted payloads.
Recommendation
Upgrade to version 3.0.8, 4.3.0 or later.
References
- https://nvd.nist.gov/vuln/detail/CVE-2019-19919
- handlebars-lang/handlebars.js#1558
- handlebars-lang/handlebars.js@2078c72
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19919
- https://www.tenable.com/security/tns-2021-14
- handlebars-lang/handlebars.js@156061e
- handlebars-lang/handlebars.js@90ad8d9
- https://github.com/Nerian/bootstrap-wysihtml5-rails/blob/master/vendor/assets/javascripts/bootstrap-wysihtml5/handlebars.runtime.min.js
- https://github.com/Nerian/bootstrap-wysihtml5-rails/tree/master/vendor/assets/javascripts/bootstrap-wysihtml5
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/bootstrap-wysihtml5-rails/CVE-2019-19919.yml
Published by theNational Vulnerability DatabaseDec 20, 2019
ReviewedDec 26, 2019
Published to the GitHub Advisory DatabaseDec 26, 2019
Last updatedFeb 12, 2025
Severity
Critical
CVSS v3 base metrics
Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS score
(94th percentile)
CVE ID
CVE-2019-19919
GHSA ID
GHSA-w457-6q6x-cgp9
Source code
LoadingChecking history
Uh oh!
There was an error while loading.Please reload this page.
See something to contribute?Suggest improvements for this vulnerability.