CVE-2019-20922

NameCVE-2019-20922
DescriptionHandlebars before 4.4.5 allows Regular Expression Denial of Service (ReDoS) because of eager matching. The parser may be forced into an endless loop while processing crafted templates. This may allow attackers to exhaust system resources.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libjs-handlebars (PTS)jessie1.3.0-1fixed
stretch3:4.0.5-4fixed
node-handlebars (PTS)buster3:4.1.0-1+deb10u3fixed
bullseye3:4.7.6+~4.1.0-2fixed
sid, trixie, bookworm3:4.7.7+~4.1.0-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libjs-handlebarssourcejessie(not affected)
libjs-handlebarssource(unstable)(not affected)
node-handlebarssource(unstable)(not affected)

Notes

- node-handlebars <not-affected> (Introduced in 4.4.4 and fixed in 4.4.5, no vulnerable version uploaded)
- libjs-handlebars <not-affected> (Introduced in 4.4.4 and fixed in 4.4.5, no vulnerable version uploaded)
https://github.com/handlebars-lang/handlebars.js/issues/1579
https://github.com/handlebars-lang/handlebars.js/commit/8d5530ee2c3ea9f0aee3fde310b9f36887d00b8b
https://snyk.io/vuln/SNYK-JS-HANDLEBARS-480388
https://www.npmjs.com/advisories/1300
Search for package or bug name: Reporting problems