CVE-2019-20922
HIGHHandlebars 4.0.0-4.4.4 - Regular Expression Denial of Service via Eager Matching
Title source: llmDescription
Handlebars before 4.4.5 allows Regular Expression Denial of Service (ReDoS) because of eager matching. The parser may be forced into an endless loop while processing crafted templates. This may allow attackers to exhaust system resources.
References (3)
Core 3
Core References
Third Party Advisory x_refsource_misc
https://www.npmjs.com/advisories/1300
Third Party Advisory x_refsource_misc
https://snyk.io/vuln/SNYK-JS-HANDLEBARS-480388
Patch, Third Party Advisory x_refsource_misc
https://github.com/handlebars-lang/handlebars.js/commit/8d5530ee2c3ea9f0aee3fde310b9f36887d00b8b
Scores
CVSS v3
7.5
EPSS
0.0379
EPSS Percentile
88.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Details
CWE
CWE-400
Status
published
Products (2)
handlebarsjs/handlebars
4.0.0 - 4.4.5
npm/handlebars
4.0.0 - 4.4.5npm
Published
Sep 30, 2020
Tracked Since
Feb 18, 2026