NodeJS/handlebars/4.4.5
Handlebars provides the power necessary to let you build semantic templates effectively with no frustration
https://www.npmjs.com/package/handlebars
MIT
7 Security Vulnerabilities
Arbitrary Code Execution in handlebars
Versions of handlebars
prior to 3.0.8 or 4.5.2 are vulnerable to Arbitrary Code Execution. The package's lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript in the system. It can be used to run arbitrary code in a server processing Handlebars templates or on a victim's browser (effectively serving as Cross-Site Scripting).
The following template can be used to demonstrate the vulnerability:
{{#with "constructor"}}
{{#with split as |a|}}
{{pop (push "alert('Vulnerable Handlebars JS');")}}
{{#with (concat (lookup join (slice 0 1)))}}
{{#each (slice 2 3)}}
{{#with (apply 0 a)}}
{{.}}
{{/with}}
{{/each}}
{{/with}}
{{/with}}
{{/with}}
Recommendation
Upgrade to version 3.0.8, 4.5.2 or later.
Arbitrary Code Execution in Handlebars
- https://nvd.nist.gov/vuln/detail/CVE-2019-20920
- https://github.com/handlebars-lang/handlebars.js/commit/d54137810a49939fd2ad01a91a34e182ece4528e
- https://snyk.io/vuln/SNYK-JS-HANDLEBARS-534478
- https://www.npmjs.com/advisories/1316
- https://www.npmjs.com/advisories/1324
- https://www.npmjs.com/package/handlebars
- https://github.com/advisories/GHSA-3cqr-58rm-57f8
- https://github.com/handlebars-lang/handlebars.js/commit/156061eb7707575293613d7fdf90e2bdaac029ee
Handlebars before 3.0.8 and 4.x before 4.5.3 is vulnerable to Arbitrary Code Execution. The lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript. This can be used to run arbitrary code on a server processing Handlebars templates or in a victim's browser (effectively serving as XSS).
Prototype Pollution in handlebars
- https://nvd.nist.gov/vuln/detail/CVE-2021-23383
- https://github.com/handlebars-lang/handlebars.js/commit/f0589701698268578199be25285b2ebea1c1e427
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1279031
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1279032
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1279030
- https://snyk.io/vuln/SNYK-JS-HANDLEBARS-1279029
- https://www.npmjs.com/package/handlebars
- https://security.netapp.com/advisory/ntap-20210618-0007/
- https://github.com/advisories/GHSA-765h-qjxv-5f44
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/handlebars-source/CVE-2021-23383.yml
The package handlebars before 4.7.7 are vulnerable to Prototype Pollution when selecting certain compiling options to compile templates coming from an untrusted source.
Remote code execution in handlebars when compiling templates
- https://nvd.nist.gov/vuln/detail/CVE-2021-23369
- https://github.com/advisories/GHSA-f2jv-r9rf-7988
- https://github.com/handlebars-lang/handlebars.js/commit/b6d3de7123eebba603e321f04afdbae608e8fea8
- https://github.com/handlebars-lang/handlebars.js/commit/f0589701698268578199be25285b2ebea1c1e427
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074950
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074951
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074952
- https://snyk.io/vuln/SNYK-JS-HANDLEBARS-1056767
- https://security.netapp.com/advisory/ntap-20210604-0008/
The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an untrusted source.
Prototype Pollution in handlebars
Versions of handlebars
prior to 3.0.8 or 4.5.3 are vulnerable to prototype pollution. It is possible to add or modify properties to the Object prototype through a malicious template. This may allow attackers to crash the application or execute Arbitrary Code in specific conditions.
Recommendation
Upgrade to version 3.0.8, 4.5.3 or later.
Arbitrary Code Execution in handlebars
Versions of handlebars
prior to 3.0.8 or 4.5.3 are vulnerable to Arbitrary Code Execution. The package's lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript in the system. It is due to an incomplete fix for a previous issue. This vulnerability can be used to run arbitrary code in a server processing Handlebars templates or on a victim's browser (effectively serving as Cross-Site Scripting).
Recommendation
Upgrade to version 3.0.8, 4.5.3 or later.
Denial of Service
Crash Node.js process from handlebars using a small and simple source
80 Other Versions
Version | License | Security | Released | |
---|---|---|---|---|
4.7.8 | MIT | 2023-08-01 - 21:19 | about 1 year | |
4.7.7 | MIT | 2021-02-15 - 09:39 | over 3 years | |
4.7.6 | MIT | 2 | 2020-04-03 - 17:59 | over 4 years |
4.7.5 | MIT | 2 | 2020-04-02 - 19:10 | over 4 years |
4.7.4 | MIT | 2 | 2020-04-01 - 17:21 | over 4 years |
4.7.3 | MIT | 2 | 2020-02-05 - 05:11 | over 4 years |
4.7.2 | MIT | 2 | 2020-01-13 - 20:53 | over 4 years |
4.7.1 | MIT | 2 | 2020-01-12 - 12:21 | over 4 years |
4.7.0 | MIT | 2 | 2020-01-10 - 16:24 | over 4 years |
4.6.0 | MIT | 2 | 2020-01-08 - 22:45 | over 4 years |
4.5.3 | MIT | 3 | 2019-11-18 - 07:11 | almost 5 years |
4.5.2 | MIT | 6 | 2019-11-13 - 21:08 | almost 5 years |
4.5.1 | MIT | 7 | 2019-10-29 - 04:42 | almost 5 years |
4.5.0 | MIT | 7 | 2019-10-28 - 18:48 | almost 5 years |
4.4.5 | MIT | 7 | 2019-10-20 - 21:08 | almost 5 years |
4.4.4 | MIT | 9 | 2019-10-20 - 19:35 | almost 5 years |
4.4.3 | MIT | 9 | 2019-10-08 - 20:06 | almost 5 years |
4.4.2 | MIT | 9 | 2019-10-02 - 20:47 | almost 5 years |
4.4.1 | MIT | 9 | 2019-10-02 - 19:53 | almost 5 years |
4.4.0 | MIT | 9 | 2019-09-29 - 13:30 | almost 5 years |
4.3.5 | MIT | 9 | 2019-10-02 - 20:06 | almost 5 years |
4.3.4 | MIT | 9 | 2019-09-28 - 11:37 | almost 5 years |
4.3.3 | MIT | 9 | 2019-09-27 - 05:47 | almost 5 years |
4.3.2 | MIT | 9 | 2019-09-26 - 21:59 | almost 5 years |
4.3.1 | MIT | 9 | 2019-09-24 - 22:35 | almost 5 years |
4.3.0 | MIT | 9 | 2019-09-24 - 06:11 | almost 5 years |
4.2.2 | MIT | 10 | 2019-10-02 - 20:13 | almost 5 years |
4.2.1 | MIT | 10 | 2019-09-20 - 17:41 | about 5 years |
4.2.0 | MIT | 10 | 2019-09-03 - 19:58 | about 5 years |
4.1.2 | MIT | 10 | 2019-04-13 - 14:20 | over 5 years |
4.1.2-0 | MIT | 11 | 2019-08-25 - 16:07 | about 5 years |
4.1.1 | MIT | 11 | 2019-03-16 - 21:29 | over 5 years |
4.1.0 | MIT | 11 | 2019-02-07 - 09:48 | over 5 years |
4.0.14 | MIT | 11 | 2019-04-13 - 14:39 | over 5 years |
4.0.13 | MIT | 12 | 2019-02-07 - 10:28 | over 5 years |
4.0.12 | MIT | 12 | 2018-09-04 - 18:46 | about 6 years |
4.0.11 | MIT | 12 | 2017-10-17 - 20:53 | almost 7 years |
4.0.10 | MIT | 12 | 2017-05-21 - 12:11 | over 7 years |
4.0.9 | MIT | 12 | 2017-05-21 - 11:40 | over 7 years |
4.0.8 | MIT | 12 | 2017-05-02 - 20:56 | over 7 years |
4.0.7 | MIT | 12 | 2017-04-29 - 20:54 | over 7 years |
4.0.6 | MIT | 12 | 2016-11-13 - 01:27 | almost 8 years |
4.0.5 | MIT | 12 | 2015-11-20 - 05:07 | almost 9 years |
4.0.4 | MIT | 12 | 2015-10-29 - 06:57 | almost 9 years |
4.0.3 | MIT | 12 | 2015-09-24 - 03:41 | almost 9 years |
4.0.2 | MIT | 12 | 2015-09-04 - 14:13 | about 9 years |
4.0.1 | MIT | 12 | 2015-09-03 - 02:21 | about 9 years |
4.0.0 | MIT | 12 | 2015-09-01 - 13:19 | about 9 years |
3.0.8 | MIT | 7 | 2020-02-23 - 10:02 | over 4 years |
3.0.7 | MIT | 12 | 2019-06-30 - 08:54 | about 5 years |
3.0.6 | MIT | 13 | 2019-01-02 - 09:19 | over 5 years |
3.0.5 | MIT | 13 | 2018-12-15 - 13:16 | almost 6 years |
3.0.4 | MIT | 13 | 2018-12-15 - 12:55 | almost 6 years |
3.0.3 | MIT | 13 | 2015-04-28 - 19:52 | over 9 years |
3.0.2 | MIT | 13 | 2015-04-20 - 08:11 | over 9 years |
3.0.1 | MIT | 13 | 2015-03-24 - 19:22 | over 9 years |
3.0.0 | MIT | 13 | 2015-02-10 - 06:19 | over 9 years |
2.0.0 | MIT | 13 | 2014-09-02 - 02:28 | about 10 years |
2.0.0-beta.1 | MIT | 13 | 2014-08-26 - 23:56 | about 10 years |
2.0.0-alpha.4 | MIT | 13 | 2014-05-20 - 04:15 | over 10 years |
2.0.0-alpha.3 | MIT | 13 | 2014-05-20 - 03:29 | over 10 years |
2.0.0-alpha.2 | MIT | 13 | 2014-03-06 - 07:29 | over 10 years |
2.0.0-alpha.1 | MIT | 13 | 2014-02-10 - 08:13 | over 10 years |
1.3.0 | MIT | 13 | 2014-01-02 - 04:10 | over 10 years |
1.2.1 | MIT | 13 | 2013-12-26 - 22:29 | over 10 years |
1.2.0 | MIT | 13 | 2013-12-24 - 03:40 | over 10 years |
1.1.2 | BSD | 13 | 2013-11-06 - 00:10 | almost 11 years |
1.1.1 | BSD | 13 | 2013-11-04 - 16:51 | almost 11 years |
1.1.0 | BSD | 13 | 2013-11-04 - 03:26 | almost 11 years |
1.0.12 | MIT | 13 | 2013-05-31 - 18:17 | over 11 years |
1.0.11 | MIT | 13 | 2013-05-14 - 04:09 | over 11 years |
1.0.10 | MIT | 13 | 2013-02-27 - 13:52 | over 11 years |
1.0.9 | MIT | 13 | 2013-02-16 - 01:42 | over 11 years |
1.0.8 | MIT | 13 | 2013-01-19 - 08:16 | over 11 years |
1.0.7 | MIT | 13 | 2012-09-18 - 00:27 | about 12 years |
1.0.6 | MIT | 13 | 2012-07-23 - 20:40 | about 12 years |
1.0.6-2 | MIT | 13 | 2012-07-31 - 16:51 | about 12 years |
1.0.5-beta | MIT | 13 | 2012-02-09 - 17:06 | over 12 years |
1.0.4-beta | MIT | 13 | 2012-01-17 - 20:31 | over 12 years |
1.0.2-beta | MIT | 13 | 2011-08-22 - 07:43 | about 13 years |