CVE-2019-20920
Arbitrary Code Execution vulnerability in handlebars (npm)
What is CVE-2019-20920 About?
This vulnerability affects Handlebars before versions 3.0.8 and 4.x before 4.5.3, allowing Arbitrary Code Execution. The `lookup` helper fails to validate templates, enabling attackers to execute arbitrary JavaScript. This can impact servers and client browsers.
Affected Software
- handlebars
- >4.0.0, <4.5.3
- <3.0.8
Technical Details
The Arbitrary Code Execution vulnerability in Handlebars arises because the lookup helper does not properly validate templates. An attacker can craft a template that, when processed by Handlebars, interpolates values in a way that executes arbitrary JavaScript code. This occurs due to insufficient sandboxing or context isolation within the template rendering engine. The lookup helper, when misused, might provide access to global objects or functions that allow an attacker to escape the template context and execute code on the server (if server-side rendering is used) or in a victim's browser (acting as a Cross-Site Scripting, XSS, vulnerability).
What is the Impact of CVE-2019-20920?
Successful exploitation may allow attackers to execute arbitrary code on the server or in a victim's browser, leading to full system compromise, data theft, or session hijacking.
What is the Exploitability of CVE-2019-20920?
Exploitation requires an attacker to inject a specially crafted Handlebars template into the vulnerable application. This can be a remote exploit if the application accepts and renders user-controlled templates. No specific authentication or high privileges are required if the template injection point is accessible to unauthenticated users. The complexity of crafting the malicious template can be moderate. Special conditions include applications that allow users to define or submit Handlebars templates, even partially. Risk factors include content management systems, email template engines, or any application that renders untrusted data using Handlebars without proper template sandboxing.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2019-20920?
About the Fix from Resolved Security
The patch prevents access to the non-enumerable "constructor" property through the Handlebars "lookup" helper by converting the field name to a string before comparison, blocking bypass techniques that use objects or arrays whose string value is "constructor". This fixes CVE-2019-20920 by ensuring that attackers cannot access the protected "constructor" property using alternate input types or coerced values.
Available Upgrade Options
- handlebars
- <3.0.8 → Upgrade to 3.0.8
- handlebars
- >4.0.0, <4.5.3 → Upgrade to 4.5.3
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://www.npmjs.com/advisories/1324
- https://www.npmjs.com/advisories/1316
- https://osv.dev/vulnerability/GHSA-3cqr-58rm-57f8
- https://github.com/handlebars-lang/handlebars.js/commit/156061eb7707575293613d7fdf90e2bdaac029ee
- https://www.npmjs.com/advisories/1324
- https://www.npmjs.com/advisories/1316
- https://snyk.io/vuln/SNYK-JS-HANDLEBARS-534478
- https://github.com/handlebars-lang/handlebars.js/commit/d54137810a49939fd2ad01a91a34e182ece4528e
- https://www.npmjs.com/package/handlebars
- https://snyk.io/vuln/SNYK-JS-HANDLEBARS-534478
What are Similar Vulnerabilities to CVE-2019-20920?
Similar Vulnerabilities: CVE-2019-19919 , CVE-2020-7662 , CVE-2020-13768 , CVE-2022-24765 , CVE-2018-8097
