NodeJS/handlebars/3.0.3
Handlebars provides the power necessary to let you build semantic templates effectively with no frustration
https://www.npmjs.com/package/handlebars
MIT
13 Security Vulnerabilities
Arbitrary Code Execution in handlebars
Versions of handlebars
prior to 3.0.8 or 4.5.2 are vulnerable to Arbitrary Code Execution. The package's lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript in the system. It can be used to run arbitrary code in a server processing Handlebars templates or on a victim's browser (effectively serving as Cross-Site Scripting).
The following template can be used to demonstrate the vulnerability:
{{#with "constructor"}}
{{#with split as |a|}}
{{pop (push "alert('Vulnerable Handlebars JS');")}}
{{#with (concat (lookup join (slice 0 1)))}}
{{#each (slice 2 3)}}
{{#with (apply 0 a)}}
{{.}}
{{/with}}
{{/each}}
{{/with}}
{{/with}}
{{/with}}
Recommendation
Upgrade to version 3.0.8, 4.5.2 or later.
Arbitrary Code Execution in Handlebars
- https://nvd.nist.gov/vuln/detail/CVE-2019-20920
- https://github.com/handlebars-lang/handlebars.js/commit/d54137810a49939fd2ad01a91a34e182ece4528e
- https://snyk.io/vuln/SNYK-JS-HANDLEBARS-534478
- https://www.npmjs.com/advisories/1316
- https://www.npmjs.com/advisories/1324
- https://www.npmjs.com/package/handlebars
- https://github.com/advisories/GHSA-3cqr-58rm-57f8
- https://github.com/handlebars-lang/handlebars.js/commit/156061eb7707575293613d7fdf90e2bdaac029ee
Handlebars before 3.0.8 and 4.x before 4.5.3 is vulnerable to Arbitrary Code Execution. The lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript. This can be used to run arbitrary code on a server processing Handlebars templates or in a victim's browser (effectively serving as XSS).
Remote code execution in Handlebars.js
Handlebars.js before 4.1.0 has Remote Code Execution (RCE)
Prototype Pollution in handlebars
- https://nvd.nist.gov/vuln/detail/CVE-2021-23383
- https://github.com/handlebars-lang/handlebars.js/commit/f0589701698268578199be25285b2ebea1c1e427
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1279031
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1279032
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1279030
- https://snyk.io/vuln/SNYK-JS-HANDLEBARS-1279029
- https://www.npmjs.com/package/handlebars
- https://security.netapp.com/advisory/ntap-20210618-0007/
- https://github.com/advisories/GHSA-765h-qjxv-5f44
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/handlebars-source/CVE-2021-23383.yml
The package handlebars before 4.7.7 are vulnerable to Prototype Pollution when selecting certain compiling options to compile templates coming from an untrusted source.
Cross-Site Scripting in handlebars
- https://nvd.nist.gov/vuln/detail/CVE-2015-8861
- https://github.com/advisories/GHSA-9prh-257w-9277
- https://github.com/wycats/handlebars.js/pull/1083
- https://blog.srcclr.com/handlebars_vulnerability_research_findings/
- https://www.npmjs.com/advisories/61
- https://www.sourceclear.com/blog/handlebars_vulnerability_research_findings/
- https://www.tenable.com/security/tns-2016-18
- http://www.openwall.com/lists/oss-security/2016/04/20/11
- http://www.securityfocus.com/bid/96434
Versions of handlebars
prior to 4.0.0 are affected by a cross-site scripting vulnerability when attributes in handlebar templates are not quoted.
Proof of Concept
Template:
<a href={{foo}}/>
Input:
{ 'foo' : 'test.com onload=alert(1)'}
Rendered result:
<a href=test.com onload=alert(1)/>
Recommendation
Update to version 4.0.0 or later. Alternatively, ensure that all attributes in handlebars templates are encapsulated with quotes.
Remote code execution in handlebars when compiling templates
- https://nvd.nist.gov/vuln/detail/CVE-2021-23369
- https://github.com/advisories/GHSA-f2jv-r9rf-7988
- https://github.com/handlebars-lang/handlebars.js/commit/b6d3de7123eebba603e321f04afdbae608e8fea8
- https://github.com/handlebars-lang/handlebars.js/commit/f0589701698268578199be25285b2ebea1c1e427
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074950
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074951
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074952
- https://snyk.io/vuln/SNYK-JS-HANDLEBARS-1056767
- https://security.netapp.com/advisory/ntap-20210604-0008/
The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an untrusted source.
Moderate severity vulnerability that affects handlebars
Withdrawn: Duplicate of GHSA-9prh-257w-9277
Prototype Pollution in handlebars
Versions of handlebars
prior to 3.0.8 or 4.5.3 are vulnerable to prototype pollution. It is possible to add or modify properties to the Object prototype through a malicious template. This may allow attackers to crash the application or execute Arbitrary Code in specific conditions.
Recommendation
Upgrade to version 3.0.8, 4.5.3 or later.
Arbitrary Code Execution in handlebars
Versions of handlebars
prior to 3.0.8 or 4.5.3 are vulnerable to Arbitrary Code Execution. The package's lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript in the system. It is due to an incomplete fix for a previous issue. This vulnerability can be used to run arbitrary code in a server processing Handlebars templates or on a victim's browser (effectively serving as Cross-Site Scripting).
Recommendation
Upgrade to version 3.0.8, 4.5.3 or later.
Prototype Pollution in handlebars
- https://github.com/handlebars-lang/handlebars.js/issues/1495
- https://github.com/advisories/GHSA-q42p-pg8m-cqh6
- https://github.com/handlebars-lang/handlebars.js/commit/7372d4e9dffc9d70c09671aa28b9392a1577fd86
- https://snyk.io/vuln/SNYK-JS-HANDLEBARS-173692
- https://www.npmjs.com/advisories/755
- https://github.com/handlebars-lang/handlebars.js/commit/0d6d8c335ad81bad1b672fc56b6a44f6aa472dac
- https://github.com/handlebars-lang/handlebars.js/commit/85c8783b34fc6d36145d8b53885ad0b9e3c3f9c4
- https://github.com/handlebars-lang/handlebars.js/commit/cd38583216dce3252831916323202749431c773e
Versions of handlebars
prior to 4.0.14 are vulnerable to Prototype Pollution. Templates may alter an Objects' prototype, thus allowing an attacker to execute arbitrary code on the server.
Recommendation
For handlebars 4.1.x upgrade to 4.1.2 or later. For handlebars 4.0.x upgrade to 4.0.14 or later.
Prototype Pollution in handlebars
- https://nvd.nist.gov/vuln/detail/CVE-2019-19919
- https://github.com/advisories/GHSA-w457-6q6x-cgp9
- https://www.npmjs.com/advisories/1164
- https://github.com/wycats/handlebars.js/issues/1558
- https://github.com/wycats/handlebars.js/commit/2078c727c627f25d4a149962f05c1e069beb18bc
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19919
- https://www.tenable.com/security/tns-2021-14
- https://github.com/handlebars-lang/handlebars.js/commit/156061eb7707575293613d7fdf90e2bdaac029ee
- https://github.com/handlebars-lang/handlebars.js/commit/90ad8d97ad2933852fb83fcc054699dc99e094db
- https://github.com/Nerian/bootstrap-wysihtml5-rails/blob/master/vendor/assets/javascripts/bootstrap-wysihtml5/handlebars.runtime.min.js
- https://github.com/Nerian/bootstrap-wysihtml5-rails/tree/master/vendor/assets/javascripts/bootstrap-wysihtml5
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/bootstrap-wysihtml5-rails/CVE-2019-19919.yml
Versions of handlebars
prior to 3.0.8 or 4.3.0 are vulnerable to Prototype Pollution leading to Remote Code Execution. Templates may alter an Objects' __proto__
and __defineGetter__
properties, which may allow an attacker to execute arbitrary code through crafted payloads.
Recommendation
Upgrade to version 3.0.8, 4.3.0 or later.
Denial of Service
Crash Node.js process from handlebars using a small and simple source
Quoteless Attributes in Templates can lead to Content Injection
Not using quotes around your attributes in handlebar templates, could lead to content injection.
Example
Template:
<a href={{foo}}/>
Input:
{ 'foo' : 'test.com onload=alert(1)'}
Rendered result:
<a href=test.com onload=alert(1)/>
80 Other Versions
Version | License | Security | Released | |
---|---|---|---|---|
3.0.7 | MIT | 12 | 2019-06-30 - 08:54 | about 5 years |
1.0.6-2 | MIT | 13 | 2012-07-31 - 16:51 | about 12 years |
1.0.6 | MIT | 13 | 2012-07-23 - 20:40 | about 12 years |
1.0.8 | MIT | 13 | 2013-01-19 - 08:16 | over 11 years |
1.0.7 | MIT | 13 | 2012-09-18 - 00:27 | about 12 years |
1.0.10 | MIT | 13 | 2013-02-27 - 13:52 | over 11 years |
1.0.11 | MIT | 13 | 2013-05-14 - 04:09 | over 11 years |
1.0.12 | MIT | 13 | 2013-05-31 - 18:17 | over 11 years |
1.0.9 | MIT | 13 | 2013-02-16 - 01:42 | over 11 years |
1.1.1 | BSD | 13 | 2013-11-04 - 16:51 | almost 11 years |
1.1.2 | BSD | 13 | 2013-11-06 - 00:10 | almost 11 years |
1.2.0 | MIT | 13 | 2013-12-24 - 03:40 | over 10 years |
1.2.1 | MIT | 13 | 2013-12-26 - 22:29 | over 10 years |
1.3.0 | MIT | 13 | 2014-01-02 - 04:10 | over 10 years |
1.1.0 | BSD | 13 | 2013-11-04 - 03:26 | almost 11 years |
2.0.0-alpha.2 | MIT | 13 | 2014-03-06 - 07:29 | over 10 years |
2.0.0-alpha.3 | MIT | 13 | 2014-05-20 - 03:29 | over 10 years |
2.0.0-alpha.4 | MIT | 13 | 2014-05-20 - 04:15 | over 10 years |
2.0.0-beta.1 | MIT | 13 | 2014-08-26 - 23:56 | about 10 years |
2.0.0 | MIT | 13 | 2014-09-02 - 02:28 | about 10 years |
3.0.0 | MIT | 13 | 2015-02-10 - 06:19 | over 9 years |
3.0.1 | MIT | 13 | 2015-03-24 - 19:22 | over 9 years |
3.0.2 | MIT | 13 | 2015-04-20 - 08:11 | over 9 years |
3.0.3 | MIT | 13 | 2015-04-28 - 19:52 | over 9 years |
2.0.0-alpha.1 | MIT | 13 | 2014-02-10 - 08:13 | over 10 years |
3.0.4 | MIT | 13 | 2018-12-15 - 12:55 | almost 6 years |
3.0.6 | MIT | 13 | 2019-01-02 - 09:19 | over 5 years |
1.0.4-beta | MIT | 13 | 2012-01-17 - 20:31 | over 12 years |
1.0.2-beta | MIT | 13 | 2011-08-22 - 07:43 | about 13 years |
1.0.5-beta | MIT | 13 | 2012-02-09 - 17:06 | over 12 years |
3.0.5 | MIT | 13 | 2018-12-15 - 13:16 | almost 6 years |
3.0.8 | MIT | 7 | 2020-02-23 - 10:02 | over 4 years |
4.0.14 | MIT | 11 | 2019-04-13 - 14:39 | over 5 years |
4.2.2 | MIT | 10 | 2019-10-02 - 20:13 | almost 5 years |
4.2.0 | MIT | 10 | 2019-09-03 - 19:58 | about 5 years |
4.2.1 | MIT | 10 | 2019-09-20 - 17:41 | about 5 years |
4.1.2 | MIT | 10 | 2019-04-13 - 14:20 | over 5 years |
4.0.11 | MIT | 12 | 2017-10-17 - 20:53 | almost 7 years |
4.0.10 | MIT | 12 | 2017-05-21 - 12:11 | over 7 years |
4.0.7 | MIT | 12 | 2017-04-29 - 20:54 | over 7 years |
4.0.6 | MIT | 12 | 2016-11-13 - 01:27 | almost 8 years |
4.0.8 | MIT | 12 | 2017-05-02 - 20:56 | over 7 years |
4.0.4 | MIT | 12 | 2015-10-29 - 06:57 | almost 9 years |
4.0.2 | MIT | 12 | 2015-09-04 - 14:13 | about 9 years |
4.0.1 | MIT | 12 | 2015-09-03 - 02:21 | about 9 years |
4.0.3 | MIT | 12 | 2015-09-24 - 03:41 | almost 9 years |
4.0.5 | MIT | 12 | 2015-11-20 - 05:07 | almost 9 years |
4.0.9 | MIT | 12 | 2017-05-21 - 11:40 | over 7 years |
4.0.12 | MIT | 12 | 2018-09-04 - 18:46 | about 6 years |
4.0.0 | MIT | 12 | 2015-09-01 - 13:19 | about 9 years |
4.0.13 | MIT | 12 | 2019-02-07 - 10:28 | over 5 years |
4.1.0 | MIT | 11 | 2019-02-07 - 09:48 | over 5 years |
4.1.1 | MIT | 11 | 2019-03-16 - 21:29 | over 5 years |
4.1.2-0 | MIT | 11 | 2019-08-25 - 16:07 | about 5 years |
4.5.2 | MIT | 6 | 2019-11-13 - 21:08 | almost 5 years |
4.3.1 | MIT | 9 | 2019-09-24 - 22:35 | almost 5 years |
4.3.0 | MIT | 9 | 2019-09-24 - 06:11 | almost 5 years |
4.3.2 | MIT | 9 | 2019-09-26 - 21:59 | almost 5 years |
4.4.0 | MIT | 9 | 2019-09-29 - 13:30 | almost 5 years |
4.3.5 | MIT | 9 | 2019-10-02 - 20:06 | almost 5 years |
4.3.4 | MIT | 9 | 2019-09-28 - 11:37 | almost 5 years |
4.4.2 | MIT | 9 | 2019-10-02 - 20:47 | almost 5 years |
4.4.3 | MIT | 9 | 2019-10-08 - 20:06 | almost 5 years |
4.4.4 | MIT | 9 | 2019-10-20 - 19:35 | almost 5 years |
4.4.1 | MIT | 9 | 2019-10-02 - 19:53 | almost 5 years |
4.3.3 | MIT | 9 | 2019-09-27 - 05:47 | almost 5 years |
4.5.3 | MIT | 3 | 2019-11-18 - 07:11 | almost 5 years |
4.4.5 | MIT | 7 | 2019-10-20 - 21:08 | almost 5 years |
4.5.0 | MIT | 7 | 2019-10-28 - 18:48 | almost 5 years |
4.5.1 | MIT | 7 | 2019-10-29 - 04:42 | almost 5 years |
4.7.0 | MIT | 2 | 2020-01-10 - 16:24 | over 4 years |
4.6.0 | MIT | 2 | 2020-01-08 - 22:45 | over 4 years |
4.7.1 | MIT | 2 | 2020-01-12 - 12:21 | over 4 years |
4.7.3 | MIT | 2 | 2020-02-05 - 05:11 | over 4 years |
4.7.2 | MIT | 2 | 2020-01-13 - 20:53 | over 4 years |
4.7.4 | MIT | 2 | 2020-04-01 - 17:21 | over 4 years |
4.7.5 | MIT | 2 | 2020-04-02 - 19:10 | over 4 years |
4.7.6 | MIT | 2 | 2020-04-03 - 17:59 | over 4 years |
4.7.7 | MIT | 2021-02-15 - 09:39 | over 3 years | |
4.7.8 | MIT | 2023-08-01 - 21:19 | about 1 year |