Login Sign Up

CVE-2019-20922

7.5 HIGH
Denial of Service

📋 TL;DR

This CVE describes a Regular Expression Denial of Service (ReDoS) vulnerability in Handlebars templating engine versions before 4.4.5. Attackers can craft malicious templates that force the parser into an endless loop, consuming excessive CPU resources and potentially causing service disruption. This affects any application using vulnerable Handlebars versions for template processing.

💻 Affected Systems

Products:
  • handlebars.js
  • Any application using Handlebars templating engine
Versions: All versions before 4.4.5
Operating Systems: All platforms running Node.js/JavaScript
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability exists in the core parser and affects all configurations using vulnerable versions.

📦 What is this software?

Handlebars by Handlebarsjs

View all CVEs affecting Handlebars →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service unavailability due to resource exhaustion, potentially affecting multiple services on shared infrastructure.

🟠

Likely Case

Degraded performance or temporary service disruption for applications processing untrusted templates.

🟢

If Mitigated

Minimal impact with proper input validation and resource limits in place.

🌐 Internet-Facing: MEDIUM - Exploitation requires ability to submit crafted templates to vulnerable endpoints.
🏢 Internal Only: LOW - Requires internal access to submit malicious templates to vulnerable services.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires ability to submit crafted templates to vulnerable endpoints. Proof-of-concept examples are publicly available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.4.5 and later

Vendor Advisory: https://github.com/handlebars-lang/handlebars.js/commit/8d5530ee2c3ea9f0aee3fde310b9f36887d00b8b

Restart Required: Yes

Instructions:

1. Update Handlebars dependency to version 4.4.5 or later. 2. For npm: 'npm update handlebars'. 3. For yarn: 'yarn upgrade handlebars'. 4. Restart affected applications.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Implement strict validation and sanitization of template inputs to prevent malicious patterns.

Resource Limiting

all

Implement CPU timeouts and resource limits for template processing operations.

🧯 If You Can't Patch

  • Implement strict input validation to reject complex template patterns
  • Deploy resource monitoring and alerting for abnormal CPU usage patterns

🔍 How to Verify

Check if Vulnerable:

Check package.json or run 'npm list handlebars' to see installed version.

Check Version:

npm list handlebars | grep handlebars

Verify Fix Applied:

Verify installed version is 4.4.5 or later using 'npm list handlebars' or check package.json.

📡 Detection & Monitoring

Log Indicators:

  • Unusually high CPU usage during template processing
  • Long-running template compilation operations

Network Indicators:

  • Repeated template submission patterns
  • Unusually large template payloads

SIEM Query:

source=application_logs AND ("template processing" OR "handlebars") AND (cpu_usage>90 OR duration>10s)

📊 Metadata

CVE ID: CVE-2019-20922
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-400
Published: September 30, 2020
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-20922, you might also want to check these:

CVE-2024-45166 9.8

UCI IDOL2 through version 2.12 contains multiple memory corruption vulnerabilities due to improper i...

Same vulnerability type (CWE-400)
CVE-2025-61303 9.8

This vulnerability in Hatching Triage Sandbox allows malware samples to evade detection by recursive...

Same vulnerability type (CWE-400)
CVE-2024-39462 9.8

This is a Linux kernel memory corruption vulnerability in the BCM2711 DVP clock driver where array b...

Same vulnerability type (CWE-400)