{"id":"CVE-2019-19919","details":"Versions of handlebars prior to 4.3.0 are vulnerable to Prototype Pollution leading to Remote Code Execution. Templates may alter an Object's __proto__ and __defineGetter__ properties, which may allow an attacker to execute arbitrary code through crafted payloads.","aliases":["GHSA-w457-6q6x-cgp9"],"modified":"2026-03-14T09:36:18.593188Z","published":"2019-12-20T23:15:11.480Z","related":["CGA-9r76-cp2v-qfx3"],"references":[{"type":"ADVISORY","url":"https://www.npmjs.com/advisories/1164"},{"type":"FIX","url":"https://www.tenable.com/security/tns-2021-14"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/wycats/handlebars.js","events":[{"introduced":"0"},{"last_affected":"f5289a35ecdbd35898fa6d291600ac9427930b44"},{"introduced":"0"},{"last_affected":"b5074a88ec17917309f5482de004076f3f676ad1"},{"introduced":"0"},{"last_affected":"5ac29dcb50cea15bee830304e391afd7375d56aa"},{"introduced":"0"},{"last_affected":"b74711e63b7bab7971cb1267f7f0bd9a60b525d7"},{"introduced":"0"},{"last_affected":"948231a31d7d6786f1ea0a293a378b20928f6f2b"},{"introduced":"0"},{"last_affected":"4cf0410b7cc3e06f09b98bbc42a3d2df8e561eba"},{"introduced":"0"},{"last_affected":"2a073e0993b40b81fbef82f681bb1dd171f2233b"},{"introduced":"0"},{"last_affected":"c53e95414f4e74bf6dfb2379a6b9b2468b8fcb31"},{"introduced":"0"},{"last_affected":"09cdc19a21cd15059f1982f533bc65e2daae904d"},{"introduced":"0"},{"last_affected":"47d13cb23c968ada3878b8bacf2813fb01758475"},{"introduced":"0"},{"last_affected":"096b8ccd2e376d621fd281e08d557a4632188aaa"},{"introduced":"0"},{"last_affected":"1c0614bd88b835b7cdfe1fb7f39650c18f645763"},{"introduced":"0"},{"last_affected":"0c6829f8af189622afd726bb72c195b5323bd6f9"},{"introduced":"0"},{"last_affected":"1eb2b04aa1468059172af16968e28ba3a9c07e6d"},{"introduced":"0"},{"last_affected":"0099e16a01bae4789c3560e2a658fdd7fecc9e12"},{"introduced":"0"},{"last_affected":"afe730e0594440dd17fdc43271fc4a7db19327f3"},{"introduced":"0"},{"last_affected":"2f0b86665f6080c065d67182ccfdca2ce6f243fa"},{"introduced":"0"},{"last_affected":"891f48b7e9c321dd9cbe7a898533eb6b2434b8a0"},{"introduced":"0"},{"last_affected":"698c8a93a4066937977503d338bcd3b90d5035ca"},{"introduced":"0"},{"last_affected":"64254b604b9d7fdf76d40b9c6675326eb4bda42b"},{"introduced":"0"},{"last_affected":"5a427d2d2b7264a83ca6702fddf63a6c7ba281c4"},{"introduced":"0"},{"last_affected":"55e4d9d80d5dd834fcf53c528e7e0aa080f315a5"},{"introduced":"0"},{"last_affected":"bff5fab8f9d42e21950be00dcf1cedf4dc1a565b"},{"introduced":"0"},{"last_affected":"c7b28a65dab1f1bb370f258fd65796d74c7b53cb"},{"introduced":"0"},{"last_affected":"a5a3ab01d3659b996234e3fa5a4a32350a145096"},{"introduced":"0"},{"last_affected":"9365b8290070f34bf797c836aed4335ce6a4094f"},{"introduced":"0"},{"last_affected":"b7c95e9feb9b641af2fe83b23c3341ec624aae80"},{"introduced":"0"},{"last_affected":"205c61cfb1acdb599bbdfcf2d356641254e09e5c"},{"introduced":"0"},{"last_affected":"ad3037cf54132fc5f589134d3bef961a5f751973"},{"introduced":"0"},{"last_affected":"606fa55b0a2fab4b22b810a21fc9ae1fd5fd8430"},{"introduced":"0"},{"last_affected":"fed5818876ec325b2b48a61395fe0089bdda05e8"},{"introduced":"0"},{"last_affected":"5ec78a8c70ac674f39a8408e04d59bd40340f6fe"},{"introduced":"0"},{"last_affected":"670ec6fafbf99986a70074a37f73d41bad60b083"},{"introduced":"0"},{"last_affected":"1e954ddf3c3ec6d2318e1fadc5e03aaf065b2fbd"},{"introduced":"0"},{"last_affected":"8d22e6f501dc0720fe0610bb4dab60cae18e7d20"},{"introduced":"0"},{"last_affected":"9d4fff19d438a390b4e34d0a175b2de5f196cea8"},{"introduced":"0"},{"last_affected":"272362e44c66d0110a4c98c7c1d121971ce447a7"},{"introduced":"0"},{"last_affected":"7caca944b1ae64b5bc11cba67d21e4b51ba6196a"},{"introduced":"0"},{"last_affected":"f691db546e7563e1db3437d5a72f478f9e556714"},{"introduced":"0"},{"last_affected":"10b5fcf92e6f3ddcbcec93c05c00cfdbb2e8d303"},{"introduced":"0"},{"last_affected":"164c7ceea4ce074f70f2fefeba81e2e551757ea6"},{"introduced":"0"},{"last_affected":"fff3e40402c9f9cd790984560658646a26e1c930"},{"introduced":"0"},{"last_affected":"0d5c691f36baae183349c51c47228da45278c50a"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"1.0.6-NA"},{"introduced":"0"},{"last_affected":"1.0.7-NA"},{"introduced":"0"},{"last_affected":"1.0.8-NA"},{"introduced":"0"},{"last_affected":"1.0.9-NA"},{"introduced":"0"},{"last_affected":"1.0.10-NA"},{"introduced":"0"},{"last_affected":"1.0.11-NA"},{"introduced":"0"},{"last_affected":"1.0.12-NA"},{"introduced":"0"},{"last_affected":"1.1.0-NA"},{"introduced":"0"},{"last_affected":"1.1.1-NA"},{"introduced":"0"},{"last_affected":"1.1.2-NA"},{"introduced":"0"},{"last_affected":"1.2.0-NA"},{"introduced":"0"},{"last_affected":"1.2.1-NA"},{"introduced":"0"},{"last_affected":"1.3.0-NA"},{"introduced":"0"},{"last_affected":"2.0.0-NA"},{"introduced":"0"},{"last_affected":"3.0.0-NA"},{"introduced":"0"},{"last_affected":"3.0.1-NA"},{"introduced":"0"},{"last_affected":"3.0.2-NA"},{"introduced":"0"},{"last_affected":"3.0.3-NA"},{"introduced":"0"},{"last_affected":"3.0.4-NA"},{"introduced":"0"},{"last_affected":"3.0.5-NA"},{"introduced":"0"},{"last_affected":"3.0.6-NA"},{"introduced":"0"},{"last_affected":"3.0.7-NA"},{"introduced":"0"},{"last_affected":"4.0.0-NA"},{"introduced":"0"},{"last_affected":"4.0.1-NA"},{"introduced":"0"},{"last_affected":"4.0.2-NA"},{"introduced":"0"},{"last_affected":"4.0.3-NA"},{"introduced":"0"},{"last_affected":"4.0.4-NA"},{"introduced":"0"},{"last_affected":"4.0.5-NA"},{"introduced":"0"},{"last_affected":"4.0.6-NA"},{"introduced":"0"},{"last_affected":"4.0.7-NA"},{"introduced":"0"},{"last_affected":"4.0.8-NA"},{"introduced":"0"},{"last_affected":"4.0.9-NA"},{"introduced":"0"},{"last_affected":"4.0.10-NA"},{"introduced":"0"},{"last_affected":"4.0.11-NA"},{"introduced":"0"},{"last_affected":"4.0.12-NA"},{"introduced":"0"},{"last_affected":"4.0.13-NA"},{"introduced":"0"},{"last_affected":"4.0.14-NA"},{"introduced":"0"},{"last_affected":"4.1.0-NA"},{"introduced":"0"},{"last_affected":"4.1.1-NA"},{"introduced":"0"},{"last_affected":"4.1.2-NA"},{"introduced":"0"},{"last_affected":"4.2.0-NA"},{"introduced":"0"},{"last_affected":"4.2.1-NA"},{"introduced":"0"},{"last_affected":"4.2.2-NA"}]}}],"versions":["0.9.0.pre.4","1.0.0.beta.1","v1.0.5beta","v1.0.6","v1.0.6beta"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-19919.json","unresolved_ranges":[{"events":[{"introduced":"0"},{"fixed":"5.19.0"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}