Severity: high

    Arbitrary Code Execution

    handlebars

    Overview

    Versions of handlebars prior to 3.0.8 or 4.5.3 are vulnerable to Arbitrary Code Execution. The package's lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript in the system. It is due to an incomplete fix for a previous issue. This vulnerability can be used to run arbitrary code in a server processing Handlebars templates or on a victim's browser (effectively serving as Cross-Site Scripting).

    Remediation

    Upgrade to version 3.0.8, 4.5.3 or later.

    Have content suggestions? Visit npmjs.com/support.

    Advisory timeline

    1. published

      Advisory Published
      Nov 19th, 2019
    2. reported

      Reported by Unknown
      Nov 18th, 2019