cbcvebase.
CVE-2019-19919
published 2019-12-20

CVE-2019-19919: Versions of handlebars prior to 4.3.0 are vulnerable to Prototype Pollution leading to Remote Code Execution. Templates may alter an Object's __proto__ and…

PriorityP260critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
7.07%
93.4th percentile
Versions of handlebars prior to 4.3.0 are vulnerable to Prototype Pollution leading to Remote Code Execution. Templates may alter an Object's __proto__ and __defineGetter__ properties, which may allow an attacker to execute arbitrary code through crafted payloads.

Affected

47 ranges· showing 25
VendorProductVersion rangeFixed in
debiannode-handlebars< node-handlebars 3:4.5.3-1 (bookworm)node-handlebars 3:4.5.3-1 (bookworm)
handlebars.js_projecthandlebars.js
handlebars.js_projecthandlebars.js
handlebars.js_projecthandlebars.js
handlebars.js_projecthandlebars.js
handlebars.js_projecthandlebars.js
handlebars.js_projecthandlebars.js
handlebars.js_projecthandlebars.js
handlebars.js_projecthandlebars.js
handlebars.js_projecthandlebars.js
handlebars.js_projecthandlebars.js
handlebars.js_projecthandlebars.js
handlebars.js_projecthandlebars.js
handlebars.js_projecthandlebars.js
handlebars.js_projecthandlebars.js
handlebars.js_projecthandlebars.js
handlebars.js_projecthandlebars.js
handlebars.js_projecthandlebars.js
handlebars.js_projecthandlebars.js
handlebars.js_projecthandlebars.js
handlebars.js_projecthandlebars.js
handlebars.js_projecthandlebars.js
handlebars.js_projecthandlebars.js
handlebars.js_projecthandlebars.js
handlebars.js_projecthandlebars.js

Detection & IOCsextracted from sources · hover to see the quote

  • Detect prototype pollution attempts via Handlebars templates that modify __proto__ or __defineGetter__ properties, which are the attack vectors for this RCE vulnerability.
  • Flag use of handlebars npm package versions prior to 4.3.0 in dependency manifests (package.json, package-lock.json) as vulnerable to prototype pollution RCE.
  • Inspect Kibana deployments on OpenShift Container Platform 3.11 and 4 for vulnerable nodejs-handlebars dependency, as these are confirmed affected packages.
  • ·Red Hat Quay includes Handlebars.js only as a development dependency and does not use it at runtime to process templates, reducing exploitability in that context.
  • ·For OpenShift Container Platform, no known attack vector was found for the prototype pollution issue in Kibana's bundled handlebars, resulting in a Low severity rating for OCP despite the code being present.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.