Severity: high

    Prototype Pollution

    handlebars

    Overview

    Versions of handlebars prior to 3.0.8 or 4.3.0 are vulnerable to Prototype Pollution leading to Remote Code Execution. Templates may alter an Objects' __proto__ and __defineGetter__ properties, which may allow an attacker to execute arbitrary code through crafted payloads.

    Remediation

    Upgrade to version 3.0.8, 4.3.0 or later.

    Resources

    Have content suggestions? Visit npmjs.com/support.

    Advisory timeline

    1. published

      Advisory Published
      Sep 24th, 2019
    2. reported

      Reported by itszn
      Sep 16th, 2019