CVE-2019-20922 – handlebars

Package

Manager: npm
Name: handlebars
Vulnerable Version: >=4.0.0 <4.4.5

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS: 0.0025 pctl0.48113

Details

Regular Expression Denial of Service in Handlebars Handlebars before 4.4.5 allows Regular Expression Denial of Service (ReDoS) because of eager matching. The parser may be forced into an endless loop while processing crafted templates. This may allow attackers to exhaust system resources.

Metadata

Created: 2022-02-10T20:38:22Z
Modified: 2021-04-22T23:31:21Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-62gr-4qp9-h98f/GHSA-62gr-4qp9-h98f.json
CWE IDs: ["CWE-400"]
Alternative ID: GHSA-62gr-4qp9-h98f
Finding: F002
Auto approve: 1