CVE-2019-19919

CRITICAL

Handlebars.js < 5.19.0 - Prototype Pollution

Title source: rule

Description

Versions of handlebars prior to 4.3.0 are vulnerable to Prototype Pollution leading to Remote Code Execution. Templates may alter an Object's __proto__ and __defineGetter__ properties, which may allow an attacker to execute arbitrary code through crafted payloads.

Exploits (1)

nomisec WORKING POC 4 stars

by fazilbaig1 · poc

https://github.com/fazilbaig1/CVE-2019-19919

View Code ZIP pw:eip

References (2)

[Third Party Advisory] https://www.npmjs.com/advisories/1164

[Patch, Third Party Advisory] https://www.tenable.com/security/tns-2021-14

Scores

CVSS v3 9.8

EPSS 0.1818

EPSS Percentile 95.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-1321

Status published

Products (46)

handlebars.js_project/handlebars.js 1.0.6

handlebars.js_project/handlebars.js 1.0.7

handlebars.js_project/handlebars.js 1.0.8

handlebars.js_project/handlebars.js 1.0.9

handlebars.js_project/handlebars.js 1.0.10

handlebars.js_project/handlebars.js 1.0.11

handlebars.js_project/handlebars.js 1.0.12

handlebars.js_project/handlebars.js 1.1.0

handlebars.js_project/handlebars.js 1.1.1

handlebars.js_project/handlebars.js 1.1.2

... and 36 more

Published Dec 20, 2019

Tracked Since Feb 18, 2026