GHSA-62gr-4qp9-h98f

Source

https://github.com/advisories/GHSA-62gr-4qp9-h98f

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-62gr-4qp9-h98f/GHSA-62gr-4qp9-h98f.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-62gr-4qp9-h98f

Aliases

CVE-2019-20922
SNYK-JS-HANDLEBARS-480388

Published

2022-02-10T20:38:22Z

Modified

2024-08-01T09:11:43.822837Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

Regular Expression Denial of Service in Handlebars

Details

Handlebars before 4.4.5 allows Regular Expression Denial of Service (ReDoS) because of eager matching. The parser may be forced into an endless loop while processing crafted templates. This may allow attackers to exhaust system resources.

References

Affected packages

npm / handlebars

Package

Name: handlebars; View open source insights on deps.dev
Purl: pkg:npm/handlebars

Affected ranges

Type: SEMVER
Events: Introduced

4.0.0

Fixed

4.4.5

Ecosystem specific

{
    "affected_functions": [
        "(handlebars).compile"
    ]
}