CVE-2019-20922 — Uncontrolled Resource Consumption in Handlebars

CWE-400 — Uncontrolled Resource Consumption10 documents7 sources

Severity

7.5HIGHNVD

EPSS

0.3%

top 47.46%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Handlebarsjs Handlebars

Timeline

PublishedSep 30

Latest updateFeb 10

Description

Handlebars before 4.4.5 allows Regular Expression Denial of Service (ReDoS) because of eager matching. The parser may be forced into an endless loop while processing crafted templates. This may allow attackers to exhaust system resources.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

▶NVDhandlebarsjs/handlebars4.0.0 — 4.4.5

▶npmhandlebarsjs/handlebars4.0.0 — 4.4.5

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

Regular Expression Denial of Service in Handlebars↗2022-02-10

▶

OSV

Regular Expression Denial of Service in Handlebars↗2022-02-10

▶

CVEList

CVE-2019-20922: Handlebars before 4↗2020-09-30

▶

OSV

CVE-2019-20922: Handlebars before 4↗2020-09-30

▶

📋Vendor Advisories

Red Hat

nodejs-handlebars: an endless loop while processing specially-crafted templates leads to DoS↗2019-11-04

▶

Debian

CVE-2019-20922: node-handlebars - Handlebars before 4.4.5 allows Regular Expression Denial of Service (ReDoS) beca...↗2019

▶

💬Community

Bugzilla

CVE-2019-20922 nodejs-handlebars: an endless loop while processing specially-crafted templates leads to DoS [fedora-all]↗2020-09-24

▶

Bugzilla

CVE-2019-20922 nodejs-handlebars: an endless loop while processing specially-crafted templates leads to DoS↗2020-09-24

▶

Bugzilla

CVE-2019-20922 nodejs-handlebars: an endless loop while processing specially-crafted templates leads to DoS [epel-all]↗2020-09-24

▶