Fluid Attacks Database

Description

Arbitrary Code Execution in Handlebars Handlebars before 3.0.8 and 4.x before 4.5.3 is vulnerable to Arbitrary Code Execution. The lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript. This can be used to run arbitrary code on a server processing Handlebars templates or in a victim's browser (effectively serving as XSS).

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 14	node-handlebars	>=0 <3:4.5.3-1	3:4.5.3-1
debian 11	node-handlebars	>=0 <3:4.5.3-1	3:4.5.3-1
debian 12	node-handlebars	>=0 <3:4.5.3-1	3:4.5.3-1
debian 13	node-handlebars	>=0 <3:4.5.3-1	3:4.5.3-1
npm	handlebars	>=0 <3.0.8 \|\| >=4.0.0 <4.5.3	3.0.8, 4.5.3

Aliases

1. CVE-2019-209202. NVD-2019-209203. OSV-DEBIAN-2019-209204. OSV-2019-209205. GCVE-2019-209206. SECURITY-TRACKER-CVE-2019-20920

References

1. https://github.com/handlebars-lang/handlebars.js/commit/156061eb7707575293613d7fdf90e2bdaac029ee2. https://github.com/handlebars-lang/handlebars.js/commit/d54137810a49939fd2ad01a91a34e182ece4528e3. https://www.npmjs.com/advisories/13164. https://www.npmjs.com/advisories/13245. https://www.npmjs.com/package/handlebars