High severityNVD Advisory· Published Sep 30, 2020· Updated Aug 5, 2024

CVE-2019-20922

Description

Handlebars before 4.4.5 allows Regular Expression Denial of Service (ReDoS) because of eager matching. The parser may be forced into an endless loop while processing crafted templates. This may allow attackers to exhaust system resources.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Handlebars.js before 4.4.5 is vulnerable to Regular Expression Denial of Service (ReDoS) due to eager matching, allowing crafted templates to cause an infinite loop and exhaust system resources.

Handlebars.js versions prior to 4.4.5 contain a Regular Expression Denial of Service (ReDoS) vulnerability stemming from eager matching in the template parser [1]. The parser's regex patterns can be forced into an infinite loop when processing specially crafted template inputs, leading to excessive CPU consumption [1][2].

An attacker can exploit this vulnerability by providing a malicious template to an application that uses Handlebars.js for server-side or client-side rendering. No authentication is required if the application allows user-supplied templates or template partials. The crafted input triggers catastrophic backtracking in the regex engine, causing the parser to hang indefinitely [2].

Successful exploitation results in a denial of service condition, exhausting system resources such as CPU and potentially causing the application to become unresponsive [1]. This can impact availability for legitimate users.

The vulnerability is fixed in Handlebars.js version 4.4.5. The fix, introduced in commit 8d5530e, addresses the eager matching issue by modifying the tokenizer to handle raw block contents more efficiently [3]. Users should upgrade to the latest version to mitigate the risk.

References

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
handlebarsnpm	>= 4.0.0, < 4.4.5	4.4.5

Affected products

Handlebars/Handlebarsdescription
ghsa-coords
pkg:npm/handlebars
Range: >= 4.0.0, < 4.4.5

Patches

8e1cce79186a

v4.4.5

https://github.com/handlebars-lang/handlebars.jsNils KnappmeierOct 20, 2019via osv

commit

5 files changed · +5 −5

components/bower.json+1 −1 modified

@@ -1,6 +1,6 @@
 {
   "name": "handlebars",
-  "version": "4.4.4",
+  "version": "4.4.5",
   "main": "handlebars.js",
   "license": "MIT",
   "dependencies": {}

components/handlebars.js.nuspec+1 −1 modified

@@ -2,7 +2,7 @@
 <package>
 	<metadata>
 		<id>handlebars.js</id>
-		<version>4.4.4</version>
+		<version>4.4.5</version>
 		<authors>handlebars.js Authors</authors>
 		<licenseUrl>https://github.com/wycats/handlebars.js/blob/master/LICENSE</licenseUrl>
 		<projectUrl>https://github.com/wycats/handlebars.js/</projectUrl>

components/package.json+1 −1 modified

@@ -1,6 +1,6 @@
 {
   "name": "handlebars",
-  "version": "4.4.4",
+  "version": "4.4.5",
   "license": "MIT",
   "jspm": {
     "main": "handlebars",

lib/handlebars/base.js+1 −1 modified

@@ -4,7 +4,7 @@ import {registerDefaultHelpers} from './helpers';
 import {registerDefaultDecorators} from './decorators';
 import logger from './logger';
 
-export const VERSION = '4.4.4';
+export const VERSION = '4.4.5';
 export const COMPILER_REVISION = 8;
 export const LAST_COMPATIBLE_COMPILER_REVISION = 7;

package.json+1 −1 modified

@@ -1,7 +1,7 @@
 {
   "name": "handlebars",
   "barename": "handlebars",
-  "version": "4.4.4",
+  "version": "4.4.5",
   "description": "Handlebars provides the power necessary to let you build semantic templates effectively with no frustration",
   "homepage": "http://www.handlebarsjs.com/",
   "keywords": [

8d5530ee2c3e

fix: non-eager matching raw-block-contents

https://github.com/handlebars-lang/handlebars.jsNils KnappmeierOct 20, 2019via ghsa

commit

3 files changed · +15 −2

spec/helpers.js+9 −1 modified

@@ -47,10 +47,18 @@ describe('helpers', function() {
       runWithIdentityHelper('{{{{identity}}}}{{{{/identity}}}}', '');
     });
 
-    it('helper for nested raw block works if nested raw blocks are broken', function() {
+    xit('helper for nested raw block works if nested raw blocks are broken', function() {
+      // This test was introduced in 4.4.4, but it was not the actual problem that lead to the patch release
+      // The test is deactivated, because in 3.x this template cases an exception and it also does not work in 4.4.3
+      // If anyone can make this template work without breaking everything else, then go for it,
+      // but for now, this is just a known bug, that will be documented.
       runWithIdentityHelper('{{{{identity}}}} {{{{a}}}} {{{{ {{{{/ }}}} }}}} {{{{/identity}}}}', ' {{{{a}}}} {{{{ {{{{/ }}}} }}}} ');
     });
 
+    it('helper for nested raw block closes after first matching close', function() {
+      runWithIdentityHelper('{{{{identity}}}}abc{{{{/identity}}}} {{{{identity}}}}abc{{{{/identity}}}}', 'abc abc');
+    });
+
     it('helper for nested raw block throw exception when with missing closing braces', function() {
       var string = '{{{{a}}}} {{{{/a';
       shouldThrow(function() {

spec/tokenizer.js+5 −0 modified

@@ -441,4 +441,9 @@ describe('Tokenizer', function() {
     result = tokenize('{{else foo as |bar baz|}}');
     shouldMatchTokens(result, ['OPEN_INVERSE_CHAIN', 'ID', 'OPEN_BLOCK_PARAMS', 'ID', 'ID', 'CLOSE_BLOCK_PARAMS', 'CLOSE']);
   });
+
+  it('tokenizes raw blocks', function() {
+    var result = tokenize('{{{{a}}}} abc {{{{/a}}}} aaa {{{{a}}}} abc {{{{/a}}}}');
+    shouldMatchTokens(result, ['OPEN_RAW_BLOCK', 'ID', 'CLOSE_RAW_BLOCK', 'CONTENT', 'END_RAW_BLOCK', 'CONTENT', 'OPEN_RAW_BLOCK', 'ID', 'CLOSE_RAW_BLOCK', 'CONTENT', 'END_RAW_BLOCK']);
+  });
 });

src/handlebars.l+1 −1 modified

@@ -63,7 +63,7 @@ ID    [^\s!"#%-,\.\/;->@\[-\^`\{-~]+/{LOOKAHEAD}
                                     return 'END_RAW_BLOCK';
                                   }
                                  }
-<raw>[^\x00]+/("{{{{")          { return 'CONTENT'; }
+<raw>[^\x00]+?/("{{{{")          { return 'CONTENT'; }
 
 <com>[\s\S]*?"--"{RIGHT_STRIP}?"}}" {
   this.popState();

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-62gr-4qp9-h98fghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2019-20922ghsaADVISORY
github.com/handlebars-lang/handlebars.js/commit/8d5530ee2c3ea9f0aee3fde310b9f36887d00b8bghsax_refsource_MISCWEB
snyk.io/vuln/SNYK-JS-HANDLEBARS-480388ghsax_refsource_MISCWEB
www.npmjs.com/advisories/1300ghsax_refsource_MISCWEB
www.npmjs.com/package/handlebarsghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000