CVE-2019-20922: Uncontrolled Resource Consumption

February 10, 2022

Handlebars before 4.4.5 allows Regular Expression Denial of Service (ReDoS) because of eager matching. The parser may be forced into an endless loop while processing crafted templates. This may allow attackers to exhaust system resources.

References

github.com/advisories/GHSA-62gr-4qp9-h98f
github.com/handlebars-lang/handlebars.js/commit/8d5530ee2c3ea9f0aee3fde310b9f36887d00b8b
nvd.nist.gov/vuln/detail/CVE-2019-20922
snyk.io/vuln/SNYK-JS-HANDLEBARS-480388
www.npmjs.com/advisories/1300
www.npmjs.com/package/handlebars

Code Behaviors & Features

Detect and mitigate CVE-2019-20922 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →