CVE-2019-19919
Prototype Pollution vulnerability in handlebars (npm)
What is CVE-2019-19919 About?
Versions of `handlebars` prior to 3.0.8 or 4.3.0 are vulnerable to Prototype Pollution, which can lead to Remote Code Execution. This occurs because templates can modify `__proto__` and `__defineGetter__` properties, allowing attackers to execute arbitrary code via crafted payloads. Exploitation typically involves carefully constructed template inputs.
Affected Software
- handlebars
- >4.0.0, <4.3.0
- <3.0.8
- bootstrap-wysihtml5-rails
- >0.3.3.5, <=0.3.3.8
Technical Details
The vulnerability in handlebars is a Prototype Pollution flaw. It allows malicious templates to modify the __proto__ property of JavaScript objects, affecting all objects in the application's prototype chain. Additionally, an attacker can manipulate the __defineGetter__ property. By injecting carefully crafted payloads into a template, an attacker can modify fundamental object properties or behaviors. This can lead to various outcomes, including arbitrary property injection, data tampering, or, in severe cases, Remote Code Execution by altering functions or constructors that are later invoked by the application.
What is the Impact of CVE-2019-19919?
Successful exploitation may allow attackers to execute arbitrary code, manipulate data, or cause denial of service, leading to full system compromise.
What is the Exploitability of CVE-2019-19919?
Exploitation requires the ability to provide or influence template content processed by a vulnerable version of handlebars. This is typically a remote vulnerability if the application renders user-supplied templates. No specific authentication is required if anonymous users can submit or influence template data. The complexity is moderate, requiring knowledge of JavaScript prototype inheritance and how to craft payloads to achieve desired effects. Any application that uses handlebars to render untrusted input is at increased risk.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| fazilbaig1 | Link | Handlebars Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') Vulnerability |
What are the Available Fixes for CVE-2019-19919?
About the Fix from Resolved Security
This patch prevents explicit calls to the special helpers helperMissing and blockHelperMissing in Handlebars templates unless the new allowCallsToHelperMissing option is enabled. By moving these helpers to a private hooks object and updating the invocation logic, it blocks attackers from directly invoking them, which fixes the CVE-2019-19919 vulnerability that allowed arbitrary code execution through unauthorized access to these helpers.
Available Upgrade Options
- handlebars
- <3.0.8 → Upgrade to 3.0.8
- handlebars
- >4.0.0, <4.3.0 → Upgrade to 4.3.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://www.tenable.com/security/tns-2021-14
- https://github.com/handlebars-lang/handlebars.js/commit/90ad8d97ad2933852fb83fcc054699dc99e094db
- https://www.tenable.com/security/tns-2021-14
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/bootstrap-wysihtml5-rails/CVE-2019-19919.yml
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19919
- https://osv.dev/vulnerability/GHSA-w457-6q6x-cgp9
- https://github.com/handlebars-lang/handlebars.js/commit/156061eb7707575293613d7fdf90e2bdaac029ee
- https://github.com/wycats/handlebars.js
- https://github.com/Nerian/bootstrap-wysihtml5-rails/tree/master/vendor/assets/javascripts/bootstrap-wysihtml5
- https://github.com/wycats/handlebars.js/commit/2078c727c627f25d4a149962f05c1e069beb18bc
What are Similar Vulnerabilities to CVE-2019-19919?
Similar Vulnerabilities: CVE-2023-38035 , CVE-2022-24434 , CVE-2022-25936 , CVE-2021-23337 , CVE-2020-28282
