GHSA-2cf5-4w76-r9qv
Suggest an improvement- Source
- https://github.com/advisories/GHSA-2cf5-4w76-r9qv
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-2cf5-4w76-r9qv/GHSA-2cf5-4w76-r9qv.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-2cf5-4w76-r9qv
- Related
- Published
- 2020-09-04T14:57:38Z
- Modified
- 2026-02-04T04:09:36.655245Z
- Severity
-
- 7.3 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:L CVSS Calculator
- Summary
- Arbitrary Code Execution in handlebars
- Details
-
Versions of
handlebarsprior to 3.0.8 or 4.5.2 are vulnerable to Arbitrary Code Execution. The package's lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript in the system. It can be used to run arbitrary code in a server processing Handlebars templates or on a victim's browser (effectively serving as Cross-Site Scripting).The following template can be used to demonstrate the vulnerability:
{{#with "constructor"}} {{#with split as |a|}} {{pop (push "alert('Vulnerable Handlebars JS');")}} {{#with (concat (lookup join (slice 0 1)))}} {{#each (slice 2 3)}} {{#with (apply 0 a)}} {{.}} {{/with}} {{/each}} {{/with}} {{/with}} {{/with}}Recommendation
Upgrade to version 3.0.8, 4.5.2 or later.
- Database specific
{ "nvd_published_at": null, "github_reviewed_at": "2020-08-31T18:54:52Z", "severity": "HIGH", "cwe_ids": [ "CWE-94" ], "github_reviewed": true }- References
Affected packages
npm / handlebars
Package
- Name
- handlebars
- View open source insights on deps.dev
- Purl
- pkg:npm/handlebars
npm / handlebars
Package
- Name
- handlebars
- View open source insights on deps.dev
- Purl
- pkg:npm/handlebars