CVE-2019-19919: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

December 26, 2019 (updated July 26, 2021)

Versions of handlebars prior to 4.3.0 are vulnerable to Prototype Pollution leading to Remote Code Execution. Templates may alter an Object’s proto and defineGetter properties, which may allow an attacker to execute arbitrary code through crafted payloads.

References

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19919
github.com/advisories/GHSA-w457-6q6x-cgp9
github.com/wycats/handlebars.js/commit/2078c727c627f25d4a149962f05c1e069beb18bc
github.com/wycats/handlebars.js/issues/1558
nvd.nist.gov/vuln/detail/CVE-2019-19919
www.npmjs.com/advisories/1164

Detect and mitigate CVE-2019-19919 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →