CVE-2021-23369 – handlebars

Package

Manager: npm
Name: handlebars
Vulnerable Version: >=0 <4.7.7

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.04041 pctl0.88051

Details

Remote code execution in handlebars when compiling templates The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an untrusted source.

Metadata

Created: 2021-05-06T15:57:44Z
Modified: 2022-10-04T16:29:30Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-f2jv-r9rf-7988/GHSA-f2jv-r9rf-7988.json
CWE IDs: ["CWE-94"]
Alternative ID: GHSA-f2jv-r9rf-7988
Finding: F422
Auto approve: 1