Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, `Handlebars.compile()` accepts a pre-parsed AST object in addition to a template string. The `value` field of a `NumberLiteral` AST node is emitted directly into the generated JavaScript without quoting or sanitization. An attacker who can supply a crafted AST to `compile()` can therefore inject and execute arbitrary JavaScript, leading to Remote Code Execution on the server. Version 4.7.9 fixes the issue. Some workarounds are available. Validate input type before calling `Handlebars.compile()`; ensure the argument is always a `string`, never a plain object or JSON-deserialized value. Use the Handlebars runtime-only build (`handlebars/runtime`) on the server if templates are pre-compiled at build time; `compile()` will be unavailable.
The `Handlebars.compile()` function accepts not only a template string, but also a pre-processed AST (Abstract Syntax Tree) object. The value of the `value` field in a `NumberLiteral` type AST node is inserted directly into the generated JavaScript code without any quoting or sanitization. An attacker who can supply a crafted AST object to the `compile()` function — for example, through JSON deserialization — can inject arbitrary JavaScript code that will then be executed on the server side.
An attacker can execute arbitrary JavaScript code on the server (RCE), which potentially leads to complete system compromise, data leakage, or violation of application integrity.
The Handlebars.js library should be updated to version 4.7.9, which fixes the vulnerability. As a workaround, you can: (1) validate the argument type before calling `Handlebars.compile()` — ensure it is always a string (`string`), never an object or value obtained through JSON deserialization; (2) use the runtime-only version (`handlebars/runtime`) on the server if templates are compiled at build time — the `compile()` function will then be unavailable.
Handlebars.js (package `handlebars`) in versions from 4.0.0 to 4.7.8 inclusive.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HHandlebarsjs Handlebars
APPHandlebarsjs4.0.0 – 4.7.9 (bez)
Related vulnerabilities
Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8...
Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8...
Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8...
Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8...
Handlebars before 3.0.8 and 4.x before 4.5.3 is vulnerable to Arbitrary Code Execution. The lookup helper fail...