Prototype Pollution in handlebars

Versions of handlebars prior to 4.0.14 are vulnerable to Prototype Pollution. Templates may alter an Objects' prototype, thus allowing an attacker to execute arbitrary code on the server.

Recommendation

For handlebars 4.1.x upgrade to 4.1.2 or later. For handlebars 4.0.x upgrade to 4.0.14 or later.

Published: Jun 5, 2019
Updated: Apr 14, 2023
GHSA: GHSA-q42p-pg8m-cqh6
Severity: High
Exploit:

CVSS v3:

Severity: Unknown
Score:
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWEs:

CWE-471

Affected Software
References

Software	From	Fixed in
wycats / handlebars	4.1.0	4.1.2
wycats / handlebars	4.0.0	4.0.14
wycats / handlebars	-	3.0.7

https://github.com/handlebars-lang/handlebars.js/commit/0d6d8c335ad81bad1b672fc56b6a44f6aa472dac
https://github.com/handlebars-lang/handlebars.js/commit/7372d4e9dffc9d70c09671aa28b9392a1577fd86
https://github.com/handlebars-lang/handlebars.js/commit/85c8783b34fc6d36145d8b53885ad0b9e3c3f9c4
https://github.com/handlebars-lang/handlebars.js/commit/cd38583216dce3252831916323202749431c773e
https://github.com/handlebars-lang/handlebars.js/issues/1495
https://snyk.io/vuln/SNYK-JS-HANDLEBARS-173692
https://www.npmjs.com/advisories/755

Vulnerability Database

289,782

Prototype Pollution in handlebars

Recommendation