CVE-2019-20922
nodejs-handlebars: an endless loop while processing specially-crafted templates leads to DoS
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Handlebars before 4.4.5 allows Regular Expression Denial of Service (ReDoS) because of eager matching. The parser may be forced into an endless loop while processing crafted templates. This may allow attackers to exhaust system resources.
Handlebars versiones anteriores a 4.4.5, permiten una Denegación de Servicio de Expresión Regular (ReDoS) debido a una búsqueda de coincidencias. El analizador puede verse forzado en un bucle infinito mientras se procesan unas plantillas diseñadas. Esto puede permitir a atacantes agotar los recursos del sistema
A flaw was found in nodejs-handlebars, where affected versions of handlebars are vulnerable to a denial of service. The package's parser may be forced into an endless loop while processing specially-crafted templates. This flaw allows attackers to exhaust system resources, leading to a denial of service.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2020-09-30 CVE Reserved
- 2020-09-30 CVE Published
- 2023-06-16 EPSS Updated
- 2024-08-05 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-400: Uncontrolled Resource Consumption
CAPEC
References (5)
URL | Tag | Source |
---|---|---|
https://snyk.io/vuln/SNYK-JS-HANDLEBARS-480388 | Third Party Advisory | |
https://www.npmjs.com/advisories/1300 | Third Party Advisory |
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://github.com/handlebars-lang/handlebars.js/commit/8d5530ee2c3ea9f0aee3fde310b9f36887d00b8b | 2021-07-21 |
URL | Date | SRC |
---|---|---|
https://access.redhat.com/security/cve/CVE-2019-20922 | 2023-03-20 | |
https://bugzilla.redhat.com/show_bug.cgi?id=1882256 | 2023-03-20 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Handlebarsjs Search vendor "Handlebarsjs" | Handlebars Search vendor "Handlebarsjs" for product "Handlebars" | >= 4.0.0 < 4.4.5 Search vendor "Handlebarsjs" for product "Handlebars" and version " >= 4.0.0 < 4.4.5" | node.js |
Affected
|