Skip to content

Arbitrary Code Execution in handlebars

High severity GitHub Reviewed Published Sep 4, 2020

Package

npm handlebars (npm)

Affected versions

< 3.0.8
>= 4.0.0, < 4.5.3

Patched versions

3.0.8
4.5.3

Description

Versions of handlebars prior to 3.0.8 or 4.5.3 are vulnerable to Arbitrary Code Execution. The package's lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript in the system. It is due to an incomplete fix for a previous issue. This vulnerability can be used to run arbitrary code in a server processing Handlebars templates or on a victim's browser (effectively serving as Cross-Site Scripting).

Recommendation

Upgrade to version 3.0.8, 4.5.3 or later.

References

Severity

High

Weaknesses

No CWEs

CVE ID

No known CVE

GHSA ID

GHSA-q2c6-c6pm-g3gh

Source code

No known source code
Checking history
See something to contribute? Suggest improvements for this vulnerability.