CVE-2019-20922
Regular Expression Denial of Service (ReDoS) vulnerability in handlebars (npm)
What is CVE-2019-20922 About?
Handlebars before 4.4.5 is vulnerable to Regular Expression Denial of Service (ReDoS) due to eager matching. Attackers can craft templates that force the parser into an endless loop, leading to resource exhaustion. This is a denial of service vulnerability with high impact, and crafting such templates can be relatively easy for an attacker knowledgeable about regular expressions.
Affected Software
Technical Details
The vulnerability in Handlebars versions prior to 4.4.5 is a Regular Expression Denial of Service (ReDoS) stemming from an eagerly matching regular expression within its parser. Specifically, certain regular expressions used in the template parsing engine exhibit catastrophic backtracking when confronted with specially crafted input. An attacker can construct a malicious Handlebars template containing a string that, when processed by the vulnerable regular expression, causes the regex engine to backtrack excessively. This leads to a significant increase in processing time, effectively forcing the parser into an 'endless loop' or severely degrading performance. This prolonged computation consumes excessive CPU and memory resources, resulting in a denial of service for the application or server processing the template.
What is the Impact of CVE-2019-20922?
Successful exploitation may allow attackers to cause a denial of service by exhausting system resources, leading to application unresponsiveness or crashes.
What is the Exploitability of CVE-2019-20922?
Exploitation of this ReDoS vulnerability is of low complexity. The primary prerequisite is that the application uses a vulnerable version of Handlebars and processes user-controlled templates or template-like input. Authentication requirements depend on whether the template processing endpoint requires authentication; if not, it can be unauthenticated. No specific privilege requirements are mentioned beyond the ability to submit template content. This is a remote attack, requiring the attacker to submit a specially crafted template. No special conditions are noted other than the malicious input needing to trigger catastrophic backtracking in the specific regular expression. The likelihood of exploitation is increased if the web application allows users to submit or influence Handlebars templates, or if it uses Handlebars for parsing external data that might contain attacker-controlled strings.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2019-20922?
About the Fix from Resolved Security
The patch adds comprehensive tests and refines the tokenizer to ensure that raw block helpers in Handlebars templates close at the first matching {{{{/raw}}}} rather than being greedy. This fixes CVE-2019-20922 by preventing attackers from injecting unexpected template content or bypassing intended block boundaries, eliminating possible template injection or content manipulation vulnerabilities due to incorrect raw block parsing.
Available Upgrade Options
- handlebars
- >4.0.0, <4.4.5 → Upgrade to 4.4.5
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://www.npmjs.com/advisories/1300
- https://github.com/handlebars-lang/handlebars.js/commit/8d5530ee2c3ea9f0aee3fde310b9f36887d00b8b
- https://nvd.nist.gov/vuln/detail/CVE-2019-20922
- https://github.com/handlebars-lang/handlebars.js/commit/8d5530ee2c3ea9f0aee3fde310b9f36887d00b8b
- https://snyk.io/vuln/SNYK-JS-HANDLEBARS-480388
- https://www.npmjs.com/package/handlebars
- https://snyk.io/vuln/SNYK-JS-HANDLEBARS-480388
- https://osv.dev/vulnerability/GHSA-62gr-4qp9-h98f
- https://www.npmjs.com/advisories/1300
What are Similar Vulnerabilities to CVE-2019-20922?
Similar Vulnerabilities: CVE-2023-28155 , CVE-2022-24750 , CVE-2022-25920 , CVE-2023-26116 , CVE-2023-45133
