Prototype Pollution in handlebars · CVE-2019-19919 · GitHub Advisory Database · GitHub

Prototype Pollution in handlebars

critical severity Published Dec 26, 2019 • Updated Jul 26, 2021

Package

handlebars (npm)

Affected versions

< 4.3.0

Patched versions

4.3.0

Description

Versions of handlebars prior to 3.0.8 or 4.3.0 are vulnerable to Prototype Pollution leading to Remote Code Execution. Templates may alter an Objects' __proto__ and __defineGetter__ properties, which may allow an attacker to execute arbitrary code through crafted payloads.

Recommendation

Upgrade to version 3.0.8, 4.3.0 or later.

References

CVE ID

CVE-2019-19919

CWEs

CVSS Score

9.8 Critical

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H