What is CVE-2019-19919?

CVE-2019-19919 is a vulnerability in handlebars prior to version 4.3.0 that allows for Prototype Pollution leading to Remote Code Execution.

How severe is CVE-2019-19919?

CVE-2019-19919 is rated as critical with a severity score of 9.8 out of 10.

Which software versions are affected by CVE-2019-19919?

Versions 1.0.6 to 1.3.0 and 2.0.0 to 4.2.2 of Handlebars.js Project Handlebars.js, as well as versions of nodejs-handlebars prior to 4.3.0 are affected.

How can I fix CVE-2019-19919?

To fix CVE-2019-19919, update to version 4.3.0 of nodejs-handlebars or ensure you are using a non-vulnerable version of Handlebars.js Project Handlebars.js.

Where can I find more information about CVE-2019-19919?

You can find more information about CVE-2019-19919 in the following references: [Link 1](https://www.npmjs.com/advisories/1164), [Link 2](https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1789961), [Link 3](https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1789962).

Vulnerability/
CVE-2019-19919

critical

9.8

CWE

74 1321 471

24/9/2019

20/12/2019

26/12/2019

5/8/2024

CVE-2019-19919

First published: Tue Sep 24 2019(Updated: )

A flaw was found in nodejs-handlebars, where it is vulnerable to Prototype Pollution leading to Remote Code Execution. Templates may alter an Object's __proto__ and __defineGetter__ properties, which allows an attacker to execute arbitrary code through crafted payloads. The highest threat from this vulnerability is to confidentiality and integrity.

Credit: cve@mitre.org cve@mitre.org

Affected Software	Affected Version	How to fix
redhat/nodejs-handlebars	<4.3.0	4.3.0
Handlebars.js Project Handlebars.js	=1.0.6
Handlebars.js Project Handlebars.js	=1.0.7
Handlebars.js Project Handlebars.js	=1.0.8
Handlebars.js Project Handlebars.js	=1.0.9
Handlebars.js Project Handlebars.js	=1.0.10
Handlebars.js Project Handlebars.js	=1.0.11
Handlebars.js Project Handlebars.js	=1.0.12
Handlebars.js Project Handlebars.js	=1.1.0
Handlebars.js Project Handlebars.js	=1.1.1
Handlebars.js Project Handlebars.js	=1.1.2
Handlebars.js Project Handlebars.js	=1.2.0
Handlebars.js Project Handlebars.js	=1.2.1
Handlebars.js Project Handlebars.js	=1.3.0
Handlebars.js Project Handlebars.js	=2.0.0
Handlebars.js Project Handlebars.js	=3.0.0
Handlebars.js Project Handlebars.js	=3.0.1
Handlebars.js Project Handlebars.js	=3.0.2
Handlebars.js Project Handlebars.js	=3.0.3
Handlebars.js Project Handlebars.js	=3.0.4
Handlebars.js Project Handlebars.js	=3.0.5
Handlebars.js Project Handlebars.js	=3.0.6
Handlebars.js Project Handlebars.js	=3.0.7
Handlebars.js Project Handlebars.js	=4.0.0
Handlebars.js Project Handlebars.js	=4.0.1
Handlebars.js Project Handlebars.js	=4.0.2
Handlebars.js Project Handlebars.js	=4.0.3
Handlebars.js Project Handlebars.js	=4.0.4
Handlebars.js Project Handlebars.js	=4.0.5
Handlebars.js Project Handlebars.js	=4.0.6
Handlebars.js Project Handlebars.js	=4.0.7
Handlebars.js Project Handlebars.js	=4.0.8
Handlebars.js Project Handlebars.js	=4.0.9
Handlebars.js Project Handlebars.js	=4.0.10
Handlebars.js Project Handlebars.js	=4.0.11
Handlebars.js Project Handlebars.js	=4.0.12
Handlebars.js Project Handlebars.js	=4.0.13
Handlebars.js Project Handlebars.js	=4.0.14
Handlebars.js Project Handlebars.js	=4.1.0
Handlebars.js Project Handlebars.js	=4.1.1
Handlebars.js Project Handlebars.js	=4.1.2
Handlebars.js Project Handlebars.js	=4.2.0
Handlebars.js Project Handlebars.js	=4.2.1
Handlebars.js Project Handlebars.js	=4.2.2
Tenable Tenable.sc	<5.19.0
npm/handlebars	<3.0.8	3.0.8
npm/handlebars	>=4.0.0<4.3.0	4.3.0
rubygems/bootstrap-wysihtml5-rails	>=0.3.3.5<=0.3.3.8

Remedy

https://www.tenable.com/security/tns-2021-14

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is CVE-2019-19919?
CVE-2019-19919 is a vulnerability in handlebars prior to version 4.3.0 that allows for Prototype Pollution leading to Remote Code Execution.
How severe is CVE-2019-19919?
CVE-2019-19919 is rated as critical with a severity score of 9.8 out of 10.
Which software versions are affected by CVE-2019-19919?
Versions 1.0.6 to 1.3.0 and 2.0.0 to 4.2.2 of Handlebars.js Project Handlebars.js, as well as versions of nodejs-handlebars prior to 4.3.0 are affected.
How can I fix CVE-2019-19919?
To fix CVE-2019-19919, update to version 4.3.0 of nodejs-handlebars or ensure you are using a non-vulnerable version of Handlebars.js Project Handlebars.js.
Where can I find more information about CVE-2019-19919?
You can find more information about CVE-2019-19919 in the following references: [Link 1](https://www.npmjs.com/advisories/1164), [Link 2](https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1789961), [Link 3](https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1789962).

collector/redhat-cve
collector/nvd-index
collector/nvd-cve
collector/github-advisory-latest
alias/GHSA-w457-6q6x-cgp9
alias/CVE-2019-19919
collector/github-advisory
agent/author
agent/type
agent/last-modified-date
agent/first-publish-date
agent/softwarecombine
agent/remedy
agent/weakness
agent/references
agent/severity
agent/description
collector/redhat-bugzilla
source/Red Hat
agent/software-canonical-lookup
agent/tags
agent/event
collector/mitre-cve
source/MITRE
vendor/handlebars.js project
canonical/handlebars.js project handlebars.js
version/handlebars.js project handlebars.js/1.0.6
version/handlebars.js project handlebars.js/1.0.7
version/handlebars.js project handlebars.js/1.0.8
version/handlebars.js project handlebars.js/1.0.9
version/handlebars.js project handlebars.js/1.0.10
version/handlebars.js project handlebars.js/1.0.11
version/handlebars.js project handlebars.js/1.0.12
version/handlebars.js project handlebars.js/1.1.0
version/handlebars.js project handlebars.js/1.1.1
version/handlebars.js project handlebars.js/1.1.2
version/handlebars.js project handlebars.js/1.2.0
version/handlebars.js project handlebars.js/1.2.1
version/handlebars.js project handlebars.js/1.3.0
version/handlebars.js project handlebars.js/2.0.0
version/handlebars.js project handlebars.js/3.0.0
version/handlebars.js project handlebars.js/3.0.1
version/handlebars.js project handlebars.js/3.0.2
version/handlebars.js project handlebars.js/3.0.3
version/handlebars.js project handlebars.js/3.0.4
version/handlebars.js project handlebars.js/3.0.5
version/handlebars.js project handlebars.js/3.0.6
version/handlebars.js project handlebars.js/3.0.7
version/handlebars.js project handlebars.js/4.0.0
version/handlebars.js project handlebars.js/4.0.1
version/handlebars.js project handlebars.js/4.0.2
version/handlebars.js project handlebars.js/4.0.3
version/handlebars.js project handlebars.js/4.0.4
version/handlebars.js project handlebars.js/4.0.5
version/handlebars.js project handlebars.js/4.0.6
version/handlebars.js project handlebars.js/4.0.7
version/handlebars.js project handlebars.js/4.0.8
version/handlebars.js project handlebars.js/4.0.9
version/handlebars.js project handlebars.js/4.0.10
version/handlebars.js project handlebars.js/4.0.11
version/handlebars.js project handlebars.js/4.0.12
version/handlebars.js project handlebars.js/4.0.13
version/handlebars.js project handlebars.js/4.0.14
version/handlebars.js project handlebars.js/4.1.0
version/handlebars.js project handlebars.js/4.1.1
version/handlebars.js project handlebars.js/4.1.2
version/handlebars.js project handlebars.js/4.2.0
version/handlebars.js project handlebars.js/4.2.1
version/handlebars.js project handlebars.js/4.2.2
vendor/tenable
canonical/tenable tenable.sc
package-manager/npm
package-manager/rubygems
package-manager/redhat