NodeJS/handlebars/4.4.2
Handlebars provides the power necessary to let you build semantic templates effectively with no frustration
https://www.npmjs.com/package/handlebars
MIT
9 Security Vulnerabilities
Arbitrary Code Execution in handlebars
Versions of handlebars
prior to 3.0.8 or 4.5.2 are vulnerable to Arbitrary Code Execution. The package's lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript in the system. It can be used to run arbitrary code in a server processing Handlebars templates or on a victim's browser (effectively serving as Cross-Site Scripting).
The following template can be used to demonstrate the vulnerability:
{{#with "constructor"}}
{{#with split as |a|}}
{{pop (push "alert('Vulnerable Handlebars JS');")}}
{{#with (concat (lookup join (slice 0 1)))}}
{{#each (slice 2 3)}}
{{#with (apply 0 a)}}
{{.}}
{{/with}}
{{/each}}
{{/with}}
{{/with}}
{{/with}}
Recommendation
Upgrade to version 3.0.8, 4.5.2 or later.
Arbitrary Code Execution in Handlebars
- https://nvd.nist.gov/vuln/detail/CVE-2019-20920
- https://github.com/handlebars-lang/handlebars.js/commit/d54137810a49939fd2ad01a91a34e182ece4528e
- https://snyk.io/vuln/SNYK-JS-HANDLEBARS-534478
- https://www.npmjs.com/advisories/1316
- https://www.npmjs.com/advisories/1324
- https://www.npmjs.com/package/handlebars
- https://github.com/advisories/GHSA-3cqr-58rm-57f8
- https://github.com/handlebars-lang/handlebars.js/commit/156061eb7707575293613d7fdf90e2bdaac029ee
Handlebars before 3.0.8 and 4.x before 4.5.3 is vulnerable to Arbitrary Code Execution. The lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript. This can be used to run arbitrary code on a server processing Handlebars templates or in a victim's browser (effectively serving as XSS).
Regular Expression Denial of Service in Handlebars
- https://nvd.nist.gov/vuln/detail/CVE-2019-20922
- https://github.com/handlebars-lang/handlebars.js/commit/8d5530ee2c3ea9f0aee3fde310b9f36887d00b8b
- https://snyk.io/vuln/SNYK-JS-HANDLEBARS-480388
- https://www.npmjs.com/advisories/1300
- https://www.npmjs.com/package/handlebars
- https://github.com/advisories/GHSA-62gr-4qp9-h98f
Handlebars before 4.4.5 allows Regular Expression Denial of Service (ReDoS) because of eager matching. The parser may be forced into an endless loop while processing crafted templates. This may allow attackers to exhaust system resources.
Prototype Pollution in handlebars
- https://nvd.nist.gov/vuln/detail/CVE-2021-23383
- https://github.com/handlebars-lang/handlebars.js/commit/f0589701698268578199be25285b2ebea1c1e427
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1279031
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1279032
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1279030
- https://snyk.io/vuln/SNYK-JS-HANDLEBARS-1279029
- https://www.npmjs.com/package/handlebars
- https://security.netapp.com/advisory/ntap-20210618-0007/
- https://github.com/advisories/GHSA-765h-qjxv-5f44
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/handlebars-source/CVE-2021-23383.yml
The package handlebars before 4.7.7 are vulnerable to Prototype Pollution when selecting certain compiling options to compile templates coming from an untrusted source.
Remote code execution in handlebars when compiling templates
- https://nvd.nist.gov/vuln/detail/CVE-2021-23369
- https://github.com/advisories/GHSA-f2jv-r9rf-7988
- https://github.com/handlebars-lang/handlebars.js/commit/b6d3de7123eebba603e321f04afdbae608e8fea8
- https://github.com/handlebars-lang/handlebars.js/commit/f0589701698268578199be25285b2ebea1c1e427
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074950
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074951
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074952
- https://snyk.io/vuln/SNYK-JS-HANDLEBARS-1056767
- https://security.netapp.com/advisory/ntap-20210604-0008/
The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an untrusted source.
Denial of Service in handlebars
Affected versions of handlebars
are vulnerable to Denial of Service. The package's parser may be forced into an endless loop while processing specially-crafted templates. This may allow attackers to exhaust system resources leading to Denial of Service.
Recommendation
Upgrade to version 4.4.5 or later.
Prototype Pollution in handlebars
Versions of handlebars
prior to 3.0.8 or 4.5.3 are vulnerable to prototype pollution. It is possible to add or modify properties to the Object prototype through a malicious template. This may allow attackers to crash the application or execute Arbitrary Code in specific conditions.
Recommendation
Upgrade to version 3.0.8, 4.5.3 or later.
Arbitrary Code Execution in handlebars
Versions of handlebars
prior to 3.0.8 or 4.5.3 are vulnerable to Arbitrary Code Execution. The package's lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript in the system. It is due to an incomplete fix for a previous issue. This vulnerability can be used to run arbitrary code in a server processing Handlebars templates or on a victim's browser (effectively serving as Cross-Site Scripting).
Recommendation
Upgrade to version 3.0.8, 4.5.3 or later.
Denial of Service
Crash Node.js process from handlebars using a small and simple source
80 Other Versions
Version | License | Security | Released | |
---|---|---|---|---|
1.0.6 | MIT | 13 | 2012-07-23 - 20:40 | almost 12 years |
1.0.6-2 | MIT | 13 | 2012-07-31 - 16:51 | almost 12 years |
1.0.7 | MIT | 13 | 2012-09-18 - 00:27 | over 11 years |
1.0.8 | MIT | 13 | 2013-01-19 - 08:16 | over 11 years |
1.0.9 | MIT | 13 | 2013-02-16 - 01:42 | about 11 years |
1.0.10 | MIT | 13 | 2013-02-27 - 13:52 | about 11 years |
1.0.11 | MIT | 13 | 2013-05-14 - 04:09 | almost 11 years |
1.0.12 | MIT | 13 | 2013-05-31 - 18:17 | almost 11 years |
2.0.0-alpha.1 | MIT | 13 | 2014-02-10 - 08:13 | over 10 years |
1.2.0 | MIT | 13 | 2013-12-24 - 03:40 | over 10 years |
1.3.0 | MIT | 13 | 2014-01-02 - 04:10 | over 10 years |
4.0.0 | MIT | 12 | 2015-09-01 - 13:19 | over 8 years |
1.2.1 | MIT | 13 | 2013-12-26 - 22:29 | over 10 years |
3.0.4 | MIT | 13 | 2018-12-15 - 12:55 | over 5 years |
4.5.1 | MIT | 7 | 2019-10-29 - 04:42 | over 4 years |
2.0.0-alpha.2 | MIT | 13 | 2014-03-06 - 07:29 | about 10 years |
2.0.0-alpha.3 | MIT | 13 | 2014-05-20 - 03:29 | almost 10 years |
2.0.0-alpha.4 | MIT | 13 | 2014-05-20 - 04:15 | almost 10 years |
2.0.0-beta.1 | MIT | 13 | 2014-08-26 - 23:56 | over 9 years |
2.0.0 | MIT | 13 | 2014-09-02 - 02:28 | over 9 years |
3.0.0 | MIT | 13 | 2015-02-10 - 06:19 | over 9 years |
3.0.1 | MIT | 13 | 2015-03-24 - 19:22 | about 9 years |
3.0.2 | MIT | 13 | 2015-04-20 - 08:11 | about 9 years |
3.0.3 | MIT | 13 | 2015-04-28 - 19:52 | about 9 years |
4.7.4 | MIT | 2 | 2020-04-01 - 17:21 | about 4 years |
4.0.1 | MIT | 12 | 2015-09-03 - 02:21 | over 8 years |
4.0.2 | MIT | 12 | 2015-09-04 - 14:13 | over 8 years |
4.0.3 | MIT | 12 | 2015-09-24 - 03:41 | over 8 years |
4.0.4 | MIT | 12 | 2015-10-29 - 06:57 | over 8 years |
4.0.5 | MIT | 12 | 2015-11-20 - 05:07 | over 8 years |
4.0.6 | MIT | 12 | 2016-11-13 - 01:27 | over 7 years |
4.0.7 | MIT | 12 | 2017-04-29 - 20:54 | about 7 years |
4.0.8 | MIT | 12 | 2017-05-02 - 20:56 | about 7 years |
4.0.9 | MIT | 12 | 2017-05-21 - 11:40 | almost 7 years |
4.0.10 | MIT | 12 | 2017-05-21 - 12:11 | almost 7 years |
4.0.11 | MIT | 12 | 2017-10-17 - 20:53 | over 6 years |
1.0.2-beta | MIT | 13 | 2011-08-22 - 07:43 | over 12 years |
1.0.4-beta | MIT | 13 | 2012-01-17 - 20:31 | over 12 years |
1.0.5-beta | MIT | 13 | 2012-02-09 - 17:06 | over 12 years |
4.0.12 | MIT | 12 | 2018-09-04 - 18:46 | over 5 years |
4.7.7 | MIT | 2021-02-15 - 09:39 | about 3 years | |
3.0.5 | MIT | 13 | 2018-12-15 - 13:16 | over 5 years |
3.0.6 | MIT | 13 | 2019-01-02 - 09:19 | over 5 years |
4.1.0 | MIT | 11 | 2019-02-07 - 09:48 | over 5 years |
4.0.13 | MIT | 12 | 2019-02-07 - 10:28 | over 5 years |
4.1.1 | MIT | 11 | 2019-03-16 - 21:29 | about 5 years |
4.1.2 | MIT | 10 | 2019-04-13 - 14:20 | about 5 years |
4.0.14 | MIT | 11 | 2019-04-13 - 14:39 | about 5 years |
3.0.7 | MIT | 12 | 2019-06-30 - 08:54 | almost 5 years |
4.1.2-0 | MIT | 11 | 2019-08-25 - 16:07 | over 4 years |
4.2.0 | MIT | 10 | 2019-09-03 - 19:58 | over 4 years |
4.2.1 | MIT | 10 | 2019-09-20 - 17:41 | over 4 years |
4.3.0 | MIT | 9 | 2019-09-24 - 06:11 | over 4 years |
4.3.1 | MIT | 9 | 2019-09-24 - 22:35 | over 4 years |
4.3.2 | MIT | 9 | 2019-09-26 - 21:59 | over 4 years |
4.3.3 | MIT | 9 | 2019-09-27 - 05:47 | over 4 years |
4.3.4 | MIT | 9 | 2019-09-28 - 11:37 | over 4 years |
4.4.0 | MIT | 9 | 2019-09-29 - 13:30 | over 4 years |
4.4.1 | MIT | 9 | 2019-10-02 - 19:53 | over 4 years |
4.3.5 | MIT | 9 | 2019-10-02 - 20:06 | over 4 years |
4.2.2 | MIT | 10 | 2019-10-02 - 20:13 | over 4 years |
4.4.2 | MIT | 9 | 2019-10-02 - 20:47 | over 4 years |
4.4.3 | MIT | 9 | 2019-10-08 - 20:06 | over 4 years |
4.4.4 | MIT | 9 | 2019-10-20 - 19:35 | over 4 years |
4.4.5 | MIT | 7 | 2019-10-20 - 21:08 | over 4 years |
4.5.0 | MIT | 7 | 2019-10-28 - 18:48 | over 4 years |
4.7.8 | MIT | 2023-08-01 - 21:19 | 10 months | |
4.5.2 | MIT | 6 | 2019-11-13 - 21:08 | over 4 years |
4.5.3 | MIT | 3 | 2019-11-18 - 07:11 | over 4 years |
4.6.0 | MIT | 2 | 2020-01-08 - 22:45 | over 4 years |
4.7.0 | MIT | 2 | 2020-01-10 - 16:24 | over 4 years |
4.7.1 | MIT | 2 | 2020-01-12 - 12:21 | over 4 years |
4.7.2 | MIT | 2 | 2020-01-13 - 20:53 | over 4 years |
4.7.3 | MIT | 2 | 2020-02-05 - 05:11 | over 4 years |
3.0.8 | MIT | 7 | 2020-02-23 - 10:02 | about 4 years |
4.7.5 | MIT | 2 | 2020-04-02 - 19:10 | about 4 years |
4.7.6 | MIT | 2 | 2020-04-03 - 17:59 | about 4 years |
1.1.2 | BSD | 13 | 2013-11-06 - 00:10 | over 10 years |
1.1.1 | BSD | 13 | 2013-11-04 - 16:51 | over 10 years |
1.1.0 | BSD | 13 | 2013-11-04 - 03:26 | over 10 years |