NodeJS/handlebars/3.0.8
Handlebars provides the power necessary to let you build semantic templates effectively with no frustration
https://www.npmjs.com/package/handlebars
MIT
7 Security Vulnerabilities
Remote code execution in Handlebars.js
Handlebars.js before 4.1.0 has Remote Code Execution (RCE)
Prototype Pollution in handlebars
- https://nvd.nist.gov/vuln/detail/CVE-2021-23383
- https://github.com/handlebars-lang/handlebars.js/commit/f0589701698268578199be25285b2ebea1c1e427
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1279031
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1279032
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1279030
- https://snyk.io/vuln/SNYK-JS-HANDLEBARS-1279029
- https://www.npmjs.com/package/handlebars
- https://security.netapp.com/advisory/ntap-20210618-0007/
- https://github.com/advisories/GHSA-765h-qjxv-5f44
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/handlebars-source/CVE-2021-23383.yml
The package handlebars before 4.7.7 are vulnerable to Prototype Pollution when selecting certain compiling options to compile templates coming from an untrusted source.
Cross-Site Scripting in handlebars
- https://nvd.nist.gov/vuln/detail/CVE-2015-8861
- https://github.com/advisories/GHSA-9prh-257w-9277
- https://github.com/wycats/handlebars.js/pull/1083
- https://blog.srcclr.com/handlebars_vulnerability_research_findings/
- https://www.npmjs.com/advisories/61
- https://www.sourceclear.com/blog/handlebars_vulnerability_research_findings/
- https://www.tenable.com/security/tns-2016-18
- http://www.openwall.com/lists/oss-security/2016/04/20/11
- http://www.securityfocus.com/bid/96434
Versions of handlebars
prior to 4.0.0 are affected by a cross-site scripting vulnerability when attributes in handlebar templates are not quoted.
Proof of Concept
Template:
<a href={{foo}}/>
Input:
{ 'foo' : 'test.com onload=alert(1)'}
Rendered result:
<a href=test.com onload=alert(1)/>
Recommendation
Update to version 4.0.0 or later. Alternatively, ensure that all attributes in handlebars templates are encapsulated with quotes.
Remote code execution in handlebars when compiling templates
- https://nvd.nist.gov/vuln/detail/CVE-2021-23369
- https://github.com/advisories/GHSA-f2jv-r9rf-7988
- https://github.com/handlebars-lang/handlebars.js/commit/b6d3de7123eebba603e321f04afdbae608e8fea8
- https://github.com/handlebars-lang/handlebars.js/commit/f0589701698268578199be25285b2ebea1c1e427
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074950
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074951
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074952
- https://snyk.io/vuln/SNYK-JS-HANDLEBARS-1056767
- https://security.netapp.com/advisory/ntap-20210604-0008/
The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an untrusted source.
Moderate severity vulnerability that affects handlebars
Withdrawn: Duplicate of GHSA-9prh-257w-9277
Denial of Service
Crash Node.js process from handlebars using a small and simple source
Quoteless Attributes in Templates can lead to Content Injection
Not using quotes around your attributes in handlebar templates, could lead to content injection.
Example
Template:
<a href={{foo}}/>
Input:
{ 'foo' : 'test.com onload=alert(1)'}
Rendered result:
<a href=test.com onload=alert(1)/>
80 Other Versions
Version | License | Security | Released | |
---|---|---|---|---|
4.7.8 | MIT | 2023-08-01 - 21:19 | 9 months | |
4.7.7 | MIT | 2021-02-15 - 09:39 | about 3 years | |
4.7.6 | MIT | 2 | 2020-04-03 - 17:59 | about 4 years |
4.7.5 | MIT | 2 | 2020-04-02 - 19:10 | about 4 years |
4.7.4 | MIT | 2 | 2020-04-01 - 17:21 | about 4 years |
4.7.3 | MIT | 2 | 2020-02-05 - 05:11 | about 4 years |
4.7.2 | MIT | 2 | 2020-01-13 - 20:53 | over 4 years |
4.7.1 | MIT | 2 | 2020-01-12 - 12:21 | over 4 years |
4.7.0 | MIT | 2 | 2020-01-10 - 16:24 | over 4 years |
4.6.0 | MIT | 2 | 2020-01-08 - 22:45 | over 4 years |
4.5.3 | MIT | 3 | 2019-11-18 - 07:11 | over 4 years |
4.5.2 | MIT | 6 | 2019-11-13 - 21:08 | over 4 years |
4.5.1 | MIT | 7 | 2019-10-29 - 04:42 | over 4 years |
4.5.0 | MIT | 7 | 2019-10-28 - 18:48 | over 4 years |
4.4.5 | MIT | 7 | 2019-10-20 - 21:08 | over 4 years |
4.4.4 | MIT | 9 | 2019-10-20 - 19:35 | over 4 years |
4.4.3 | MIT | 9 | 2019-10-08 - 20:06 | over 4 years |
4.4.2 | MIT | 9 | 2019-10-02 - 20:47 | over 4 years |
4.4.1 | MIT | 9 | 2019-10-02 - 19:53 | over 4 years |
4.4.0 | MIT | 9 | 2019-09-29 - 13:30 | over 4 years |
4.3.5 | MIT | 9 | 2019-10-02 - 20:06 | over 4 years |
4.3.4 | MIT | 9 | 2019-09-28 - 11:37 | over 4 years |
4.3.3 | MIT | 9 | 2019-09-27 - 05:47 | over 4 years |
4.3.2 | MIT | 9 | 2019-09-26 - 21:59 | over 4 years |
4.3.1 | MIT | 9 | 2019-09-24 - 22:35 | over 4 years |
4.3.0 | MIT | 9 | 2019-09-24 - 06:11 | over 4 years |
4.2.2 | MIT | 10 | 2019-10-02 - 20:13 | over 4 years |
4.2.1 | MIT | 10 | 2019-09-20 - 17:41 | over 4 years |
4.2.0 | MIT | 10 | 2019-09-03 - 19:58 | over 4 years |
4.1.2 | MIT | 10 | 2019-04-13 - 14:20 | about 5 years |
4.1.2-0 | MIT | 11 | 2019-08-25 - 16:07 | over 4 years |
4.1.1 | MIT | 11 | 2019-03-16 - 21:29 | about 5 years |
4.1.0 | MIT | 11 | 2019-02-07 - 09:48 | about 5 years |
4.0.14 | MIT | 11 | 2019-04-13 - 14:39 | about 5 years |
4.0.13 | MIT | 12 | 2019-02-07 - 10:28 | about 5 years |
4.0.12 | MIT | 12 | 2018-09-04 - 18:46 | over 5 years |
4.0.11 | MIT | 12 | 2017-10-17 - 20:53 | over 6 years |
4.0.10 | MIT | 12 | 2017-05-21 - 12:11 | almost 7 years |
4.0.9 | MIT | 12 | 2017-05-21 - 11:40 | almost 7 years |
4.0.8 | MIT | 12 | 2017-05-02 - 20:56 | almost 7 years |
4.0.7 | MIT | 12 | 2017-04-29 - 20:54 | almost 7 years |
4.0.6 | MIT | 12 | 2016-11-13 - 01:27 | over 7 years |
4.0.5 | MIT | 12 | 2015-11-20 - 05:07 | over 8 years |
4.0.4 | MIT | 12 | 2015-10-29 - 06:57 | over 8 years |
4.0.3 | MIT | 12 | 2015-09-24 - 03:41 | over 8 years |
4.0.2 | MIT | 12 | 2015-09-04 - 14:13 | over 8 years |
4.0.1 | MIT | 12 | 2015-09-03 - 02:21 | over 8 years |
4.0.0 | MIT | 12 | 2015-09-01 - 13:19 | over 8 years |
3.0.8 | MIT | 7 | 2020-02-23 - 10:02 | about 4 years |
3.0.7 | MIT | 12 | 2019-06-30 - 08:54 | almost 5 years |
3.0.6 | MIT | 13 | 2019-01-02 - 09:19 | over 5 years |
3.0.5 | MIT | 13 | 2018-12-15 - 13:16 | over 5 years |
3.0.4 | MIT | 13 | 2018-12-15 - 12:55 | over 5 years |
3.0.3 | MIT | 13 | 2015-04-28 - 19:52 | almost 9 years |
3.0.2 | MIT | 13 | 2015-04-20 - 08:11 | about 9 years |
3.0.1 | MIT | 13 | 2015-03-24 - 19:22 | about 9 years |
3.0.0 | MIT | 13 | 2015-02-10 - 06:19 | about 9 years |
2.0.0 | MIT | 13 | 2014-09-02 - 02:28 | over 9 years |
2.0.0-beta.1 | MIT | 13 | 2014-08-26 - 23:56 | over 9 years |
2.0.0-alpha.4 | MIT | 13 | 2014-05-20 - 04:15 | almost 10 years |
2.0.0-alpha.3 | MIT | 13 | 2014-05-20 - 03:29 | almost 10 years |
2.0.0-alpha.2 | MIT | 13 | 2014-03-06 - 07:29 | about 10 years |
2.0.0-alpha.1 | MIT | 13 | 2014-02-10 - 08:13 | about 10 years |
1.3.0 | MIT | 13 | 2014-01-02 - 04:10 | over 10 years |
1.2.1 | MIT | 13 | 2013-12-26 - 22:29 | over 10 years |
1.2.0 | MIT | 13 | 2013-12-24 - 03:40 | over 10 years |
1.1.2 | BSD | 13 | 2013-11-06 - 00:10 | over 10 years |
1.1.1 | BSD | 13 | 2013-11-04 - 16:51 | over 10 years |
1.1.0 | BSD | 13 | 2013-11-04 - 03:26 | over 10 years |
1.0.12 | MIT | 13 | 2013-05-31 - 18:17 | almost 11 years |
1.0.11 | MIT | 13 | 2013-05-14 - 04:09 | almost 11 years |
1.0.10 | MIT | 13 | 2013-02-27 - 13:52 | about 11 years |
1.0.9 | MIT | 13 | 2013-02-16 - 01:42 | about 11 years |
1.0.8 | MIT | 13 | 2013-01-19 - 08:16 | over 11 years |
1.0.7 | MIT | 13 | 2012-09-18 - 00:27 | over 11 years |
1.0.6 | MIT | 13 | 2012-07-23 - 20:40 | almost 12 years |
1.0.6-2 | MIT | 13 | 2012-07-31 - 16:51 | over 11 years |
1.0.5-beta | MIT | 13 | 2012-02-09 - 17:06 | about 12 years |
1.0.4-beta | MIT | 13 | 2012-01-17 - 20:31 | over 12 years |
1.0.2-beta | MIT | 13 | 2011-08-22 - 07:43 | over 12 years |