Skip to content

Prototype Pollution in handlebars

critical severity Published Dec 26, 2019 • Updated Jul 26, 2021

Package

npm handlebars (npm)

Affected versions

< 4.3.0

Patched versions

4.3.0

Description

Versions of handlebars prior to 3.0.8 or 4.3.0 are vulnerable to Prototype Pollution leading to Remote Code Execution. Templates may alter an Objects' __proto__ and __defineGetter__ properties, which may allow an attacker to execute arbitrary code through crafted payloads.

Recommendation

Upgrade to version 3.0.8, 4.3.0 or later.

References

CVE ID

CVE-2019-19919

CVSS Score

9.8 Critical
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H