EIQ-2019-0009



ID

EIQ-2019-0009

CVE

-

Description

Handlebars.js enables prototype pollution

Date

15 Feb 2019

Severity

3 - HIGH

CVSSv3 score

CVSSv3 score not available on NIST NVD.

Status

images/s/-u524h5/8501/61630d2d4f75946459caa0b3dbdac9bd6d7a7de4/_/images/icons/emoticons/check.svg 2.3.4

Assessment

The Handlebars.js Node.js module versions 4.0.12 and earlier make it possible for an attacker to modify the __proto__ accessor property.
Modified properties are propagated through inheritance to all objects.

This enables arbitrary adding or modifying object prototype properties, and arbitrary code execution on the targeted server.

Mitigation

Update to Handlebars.js 4.0.13 or later.

Affected versions

2.3.0 to 2.3.3 included.

Notes

For more information, see:

< Back to all security issues and mitigation actions

In release notes 2.3.3

In release notes 2.3.4