CVE-2019-19919

CRITICAL

handlebars.js - Prototype Pollution leading to Remote Code Execution

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-19919. PoCs published by fazilbaig1.

AI-analyzed exploit summary This repository contains a functional exploit and scanner for CVE-2019-19919, a Handlebars template injection vulnerability leading to remote code execution (RCE). The exploit crafts a malicious payload to execute arbitrary OS commands, while the scanner checks for vulnerable Handlebars versions and tests for injection.

Description

Versions of handlebars prior to 4.3.0 are vulnerable to Prototype Pollution leading to Remote Code Execution. Templates may alter an Object's __proto__ and __defineGetter__ properties, which may allow an attacker to execute arbitrary code through crafted payloads.

Exploits (1)

nomisec WORKING POC 4 stars

by fazilbaig1 · poc

https://github.com/fazilbaig1/CVE-2019-19919

View Code ZIP pw:eip

This repository contains a functional exploit and scanner for CVE-2019-19919, a Handlebars template injection vulnerability leading to remote code execution (RCE). The exploit crafts a malicious payload to execute arbitrary OS commands, while the scanner checks for vulnerable Handlebars versions and tests for injection.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Handlebars.js (versions below 4.5.3)

No auth needed

Prerequisites: Target application using vulnerable Handlebars.js version · Access to an endpoint that processes Handlebars templates

MITRE ATT&CK

T1221 - Template Injection T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (2)

Core 2

Core References

Third Party Advisory x_refsource_misc

https://www.npmjs.com/advisories/1164

Patch, Third Party Advisory x_refsource_confirm

https://www.tenable.com/security/tns-2021-14

Scores

CVSS v3 9.8

EPSS 0.2475

EPSS Percentile 96.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-1321

Status published

Products (46)

handlebars.js_project/handlebars.js 1.0.6

handlebars.js_project/handlebars.js 1.0.7

handlebars.js_project/handlebars.js 1.0.8

handlebars.js_project/handlebars.js 1.0.9

handlebars.js_project/handlebars.js 1.0.10

handlebars.js_project/handlebars.js 1.0.11

handlebars.js_project/handlebars.js 1.0.12

handlebars.js_project/handlebars.js 1.1.0

handlebars.js_project/handlebars.js 1.1.1

handlebars.js_project/handlebars.js 1.1.2

... and 36 more

Published Dec 20, 2019

Tracked Since Feb 18, 2026