CVE-2019-19919
Prototype Pollution vulnerability in handlebars
What is CVE-2019-19919 About?
Versions of `handlebars` prior to 3.0.8 or 4.3.0 are vulnerable to Prototype Pollution, which can lead to Remote Code Execution. This occurs because templates can modify `__proto__` and `__defineGetter__` properties, allowing attackers to execute arbitrary code via crafted payloads. Exploitation typically involves carefully constructed template inputs.
Affected Software
- handlebars
- >4.0.0, <4.3.0
- <3.0.8
- bootstrap-wysihtml5-rails
- >0.3.3.5, <=0.3.3.8
Technical Details
The vulnerability in `handlebars` is a Prototype Pollution flaw. It allows malicious templates to modify the `__proto__` property of JavaScript objects, affecting all objects in the application's prototype chain. Additionally, an attacker can manipulate the `__defineGetter__` property. By injecting carefully crafted payloads into a template, an attacker can modify fundamental object properties or behaviors. This can lead to various outcomes, including arbitrary property injection, data tampering, or, in severe cases, Remote Code Execution by altering functions or constructors that are later invoked by the application.
What is the Impact of CVE-2019-19919?
Successful exploitation may allow attackers to execute arbitrary code, manipulate data, or cause denial of service, leading to full system compromise.
What is the Exploitability of CVE-2019-19919?
Exploitation requires the ability to provide or influence template content processed by a vulnerable version of `handlebars`. This is typically a remote vulnerability if the application renders user-supplied templates. No specific authentication is required if anonymous users can submit or influence template data. The complexity is moderate, requiring knowledge of JavaScript prototype inheritance and how to craft payloads to achieve desired effects. Any application that uses `handlebars` to render untrusted input is at increased risk.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| fazilbaig1 | Link | Handlebars Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') Vulnerability |
What are the Available Fixes for CVE-2019-19919?
About the Fix from Resolved Security
This patch blocks access to dangerous JavaScript properties like "constructor", "proto", and related special properties by filtering them using a regular expression and only allowing access if they are enumerable. This prevents attackers from using template expressions to access or manipulate prototype properties, thereby closing the prototype pollution and arbitrary code execution vectors described in CVE-2019-19919.
Available Upgrade Options
- handlebars
- <3.0.8 → Upgrade to 3.0.8
- handlebars
- >4.0.0, <4.3.0 → Upgrade to 4.3.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://www.tenable.com/security/tns-2021-14
- https://github.com/handlebars-lang/handlebars.js/commit/90ad8d97ad2933852fb83fcc054699dc99e094db
- https://www.tenable.com/security/tns-2021-14
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/bootstrap-wysihtml5-rails/CVE-2019-19919.yml
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19919
- https://osv.dev/vulnerability/GHSA-w457-6q6x-cgp9
- https://github.com/handlebars-lang/handlebars.js/commit/156061eb7707575293613d7fdf90e2bdaac029ee
- https://github.com/wycats/handlebars.js
- https://github.com/Nerian/bootstrap-wysihtml5-rails/tree/master/vendor/assets/javascripts/bootstrap-wysihtml5
- https://github.com/wycats/handlebars.js/commit/2078c727c627f25d4a149962f05c1e069beb18bc
What are Similar Vulnerabilities to CVE-2019-19919?
Similar Vulnerabilities: CVE-2023-38035 , CVE-2022-24434 , CVE-2022-25936 , CVE-2021-23337 , CVE-2020-28282
