logo

Database

Server side template injection In handlebars

Description

Arbitrary Code Execution in handlebars Versions of handlebars prior to 3.0.8 or 4.5.2 are vulnerable to Arbitrary Code Execution. The package's lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript in the system. It can be used to run arbitrary code in a server processing Handlebars templates or on a victim's browser (effectively serving as Cross-Site Scripting).

The following template can be used to demonstrate the vulnerability:

	{{#with split as |a|}}
		{{pop (push "alert('Vulnerable Handlebars JS');")}}
		{{#with (concat (lookup join (slice 0 1)))}}
			{{#each (slice 2 3)}}
				{{#with (apply 0 a)}}
					{{.}}
				{{/with}}
			{{/each}}...

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. GCVE-GHSA-2cf5-4w76-r9qv

References

1. https://www.npmjs.com/advisories/1316

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.