Description

Handlebars before 4.4.5 allows Regular Expression Denial of Service (ReDoS) because of eager matching. The parser may be forced into an endless loop while processing crafted templates. This may allow attackers to exhaust system resources.

Remediation

References

https://github.com/handlebars-lang/handlebars.js/commit/8d5530ee2c3ea9f0aee3fde310b9f36887d00b8b

https://snyk.io/vuln/SNYK-JS-HANDLEBARS-480388

https://www.npmjs.com/advisories/1300

Related Vulnerabilities

CVE-2021-3223 Vulnerability in npm package node-red-dashboard

CVE-2021-23568 Vulnerability in npm package extend2

CVE-2013-0239 Vulnerability in maven package org.apache.cxf:cxf-bundle-minimal

CVE-2023-37955 Vulnerability in maven package org.jenkins-ci.plugins:test-results-aggregator

CVE-2022-28355 Vulnerability in maven package org.scala-js:scalajs-library_2.11

Severity

High

Classification

CWE-400 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Tags

Patch Third Party Advisory