CVE-2019-20922
published 2020-09-30CVE-2019-20922: Handlebars before 4.4.5 allows Regular Expression Denial of Service (ReDoS) because of eager matching. The parser may be forced into an endless loop while…
PriorityP338high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
3.79%
88.6th percentile
Handlebars before 4.4.5 allows Regular Expression Denial of Service (ReDoS) because of eager matching. The parser may be forced into an endless loop while processing crafted templates. This may allow attackers to exhaust system resources.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | node-handlebars | — | — |
| handlebarsjs | handlebars | >= 4.0.0 < 4.4.5 | 4.4.5 |
| handlebarsjs | handlebars | >= 4.0.0 < 4.4.5 | 4.4.5 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv2.07.8HIGHAV:N/AC:L/Au:N/C:N/I:N/A:C
osv7.5HIGH
vendor_debian7.5LOW
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
nodejs-handlebars: an endless loop while processing specially-crafted templates leads to DoS
vendor_redhat·2019-11-04·CVSS 7.5
CVE-2019-20922 [HIGH] CWE-400 nodejs-handlebars: an endless loop while processing specially-crafted templates leads to DoS
nodejs-handlebars: an endless loop while processing specially-crafted templates leads to DoS
Handlebars before 4.4.5 allows Regular Expression Denial of Service (ReDoS) because of eager matching. The parser may be forced into an endless loop while processing crafted templates. This may allow attackers to exhaust system resources.
A flaw was found in nodejs-handlebars, where affected versions of handlebars are vulnerable to a denial of service. The package's parser may be forced into an endless loop while processing specially-crafted templates. This flaw allows attackers to exhaust system resources, leading to a denial of service.
Statement: Red Hat Quay includes Handlebars.js as a development dependency. It does not use Handlebars.js at runtime to process templates, so it has been given
Debian
CVE-2019-20922: node-handlebars - Handlebars before 4.4.5 allows Regular Expression Denial of Service (ReDoS) beca...
vendor_debian·2019·CVSS 7.5
CVE-2019-20922 [HIGH] CVE-2019-20922: node-handlebars - Handlebars before 4.4.5 allows Regular Expression Denial of Service (ReDoS) beca...
Handlebars before 4.4.5 allows Regular Expression Denial of Service (ReDoS) because of eager matching. The parser may be forced into an endless loop while processing crafted templates. This may allow attackers to exhaust system resources.
Scope: local
bookworm: resolved
bullseye: resolved
forky: resolved
sid: resolved
trixie: resolved
GHSA
Regular Expression Denial of Service in Handlebars
ghsa·2022-02-10
CVE-2019-20922 [HIGH] CWE-400 Regular Expression Denial of Service in Handlebars
Regular Expression Denial of Service in Handlebars
Handlebars before 4.4.5 allows Regular Expression Denial of Service (ReDoS) because of eager matching. The parser may be forced into an endless loop while processing crafted templates. This may allow attackers to exhaust system resources.
OSV
Regular Expression Denial of Service in Handlebars
osv·2022-02-10
CVE-2019-20922 [HIGH] Regular Expression Denial of Service in Handlebars
Regular Expression Denial of Service in Handlebars
Handlebars before 4.4.5 allows Regular Expression Denial of Service (ReDoS) because of eager matching. The parser may be forced into an endless loop while processing crafted templates. This may allow attackers to exhaust system resources.
OSV
CVE-2019-20922: Handlebars before 4
osv·2020-09-30·CVSS 7.5
CVE-2019-20922 [HIGH] CVE-2019-20922: Handlebars before 4
Handlebars before 4.4.5 allows Regular Expression Denial of Service (ReDoS) because of eager matching. The parser may be forced into an endless loop while processing crafted templates. This may allow attackers to exhaust system resources.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2019-20922 nodejs-handlebars: an endless loop while processing specially-crafted templates leads to DoS [fedora-all]
bugzilla·2020-09-24·CVSS 7.5
CVE-2019-20922 [HIGH] CVE-2019-20922 nodejs-handlebars: an endless loop while processing specially-crafted templates leads to DoS [fedora-all]
CVE-2019-20922 nodejs-handlebars: an endless loop while processing specially-crafted templates leads to DoS [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: thi
Bugzilla
CVE-2019-20922 nodejs-handlebars: an endless loop while processing specially-crafted templates leads to DoS
bugzilla·2020-09-24·CVSS 7.5
CVE-2019-20922 [HIGH] CVE-2019-20922 nodejs-handlebars: an endless loop while processing specially-crafted templates leads to DoS
CVE-2019-20922 nodejs-handlebars: an endless loop while processing specially-crafted templates leads to DoS
Affected versions of handlebars are vulnerable to Denial of Service. The package's parser may be forced into an endless loop while processing specially-crafted templates. This may allow attackers to exhaust system resources leading to Denial of Service.
Reference:
https://www.npmjs.com/advisories/1300
Discussion:
Created /nodejs-handlebars tracking bugs for this issue:
Affects: epel-all [bug 1882258]
Affects: fedora-all [bug 1882257]
---
The upstream patch:
https://github.com/handlebars-lang/handlebars.js/commit/8d5530ee2c3ea9f0aee3fde310b9f36887d00b8b
---
External References:
https://www.npmjs.com/advisories/1300
---
Statement:
Red Hat Quay includes Handlebars.js as a
Bugzilla
CVE-2019-20922 nodejs-handlebars: an endless loop while processing specially-crafted templates leads to DoS [epel-all]
bugzilla·2020-09-24·CVSS 7.5
CVE-2019-20922 [HIGH] CVE-2019-20922 nodejs-handlebars: an endless loop while processing specially-crafted templates leads to DoS [epel-all]
CVE-2019-20922 nodejs-handlebars: an endless loop while processing specially-crafted templates leads to DoS [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this is
https://github.com/handlebars-lang/handlebars.js/commit/8d5530ee2c3ea9f0aee3fde310b9f36887d00b8bhttps://snyk.io/vuln/SNYK-JS-HANDLEBARS-480388https://www.npmjs.com/advisories/1300https://github.com/handlebars-lang/handlebars.js/commit/8d5530ee2c3ea9f0aee3fde310b9f36887d00b8bhttps://snyk.io/vuln/SNYK-JS-HANDLEBARS-480388https://www.npmjs.com/advisories/1300
2020-09-30
Published