Arbitrary Code Execution in handlebars

Versions of handlebars prior to 3.0.8 or 4.5.3 are vulnerable to Arbitrary Code Execution. The package's lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript in the system. It is due to an incomplete fix for a previous issue. This vulnerability can be used to run arbitrary code in a server processing Handlebars templates or on a victim's browser (effectively serving as Cross-Site Scripting).

Recommendation

Upgrade to version 3.0.8, 4.5.3 or later.

Published: Sep 4, 2020
Updated: Apr 14, 2023
GHSA: GHSA-q2c6-c6pm-g3gh
Severity: High
Exploit:

No technical information available.

No CWE or OWASP classifications available.

Affected Software
References

Software	From	Fixed in
wycats / handlebars	-	3.0.8
wycats / handlebars	4.0.0	4.5.3

https://www.npmjs.com/advisories/1324

Vulnerability Database

289,697

Arbitrary Code Execution in handlebars

Recommendation