Search for packages
| purl | pkg:npm/handlebars@4.0.8 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-25sr-kapq-dbea
Aliases: GHSA-f52g-6jhx-586p GMS-2020-728 |
Denial of Service in handlebars Affected versions of `handlebars` are vulnerable to Denial of Service. The package's parser may be forced into an endless loop while processing specially-crafted templates. This may allow attackers to exhaust system resources leading to Denial of Service. ## Recommendation Upgrade to version 4.4.5 or later. |
Affected by 13 other vulnerabilities. |
|
VCID-2r9d-e4z2-ckbh
Aliases: CVE-2026-33916 GHSA-2qvq-rjwj-gvw9 |
handlebars.js: Handlebars: Cross-Site Scripting (XSS) via prototype pollution in partial resolution |
Affected by 0 other vulnerabilities. |
|
VCID-3ej8-4wrb-dqed
Aliases: CVE-2021-23383 GHSA-765h-qjxv-5f44 |
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') The package handlebars before 4.7.7 are vulnerable to Prototype Pollution when selecting certain compiling options to compile templates coming from an untrusted source. |
Affected by 8 other vulnerabilities. |
|
VCID-4e4r-qabs-cbg7
Aliases: CVE-2026-33941 GHSA-xjpj-3mr7-gcpf |
handlebars.js: Handlebars: Arbitrary code execution via CLI precompiler input sanitization flaw |
Affected by 0 other vulnerabilities. |
|
VCID-4sp5-ymgy-qfg4
Aliases: CVE-2026-33937 GHSA-2w6w-674q-4c4q |
handlebars.js: Handlebars: Remote Code Execution via crafted Abstract Syntax Tree object in compile() |
Affected by 0 other vulnerabilities. |
|
VCID-7c3a-mqkm-3ycc
Aliases: CVE-2019-20920 GHSA-3cqr-58rm-57f8 |
Improper Control of Generation of Code ('Code Injection') Handlebars before 3.0.8 and 4.x before 4.5.3 is vulnerable to Arbitrary Code Execution. The lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript. This can be used to run arbitrary code on a server processing Handlebars templates or in a victim's browser (effectively serving as XSS). |
Affected by 9 other vulnerabilities. |
|
VCID-81p2-vehj-hub1
Aliases: CVE-2026-33940 GHSA-xhpv-hc6g-r9c6 |
handlebars.js: Handlebars.js: Arbitrary code execution via crafted template context |
Affected by 0 other vulnerabilities. |
|
VCID-bkew-8c9k-mbh2
Aliases: CVE-2026-33938 GHSA-3mfm-83xf-c92r |
handlebars: Handlebars: Arbitrary code execution via @partial-block overwrite |
Affected by 0 other vulnerabilities. |
|
VCID-cfg5-1ju5-73b1
Aliases: CVE-2019-20922 GHSA-62gr-4qp9-h98f |
Uncontrolled Resource Consumption Handlebars before 4.4.5 allows Regular Expression Denial of Service (ReDoS) because of eager matching. The parser may be forced into an endless loop while processing crafted templates. This may allow attackers to exhaust system resources. |
Affected by 13 other vulnerabilities. |
|
VCID-cxf4-xmgb-aue5
Aliases: CVE-2026-33939 GHSA-9cx6-37pm-9jff |
handlebars.js: Handlebars.js: Denial of Service via malformed decorator syntax in template compilation |
Affected by 0 other vulnerabilities. |
|
VCID-f1td-t6kf-wfcm
Aliases: GHSA-q42p-pg8m-cqh6 GMS-2019-126 |
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in handlebars. |
Affected by 16 other vulnerabilities. Affected by 16 other vulnerabilities. |
|
VCID-nhz2-v28w-gye1
Aliases: CVE-2019-19919 GHSA-w457-6q6x-cgp9 |
Prototype Pollution in handlebars The bootstrap-wysihtml5-rails gem includes the vendored JavaScript library 'handlebars.js'. Versions 0.3.3.7-0.3.3.8 include handlebars 3.0.2, and versions 0.3.3.5-0.3.3.6 include handlebars 1.3.0. Versions Affected: 0.3.3.5-0.3.3.8 Not affected: < 0.3.3.5 Fixed Versions: None Versions of handlebars prior to 3.0.8 or 4.3.0 are vulnerable to Prototype Pollution leading to Remote Code Execution. Templates may alter an Objects' __proto__ and __defineGetter__ properties, which may allow an attacker to execute arbitrary code through crafted payloads. |
Affected by 15 other vulnerabilities. |
|
VCID-q9rt-jtx1-hybx
Aliases: GHSA-q2c6-c6pm-g3gh GMS-2020-730 |
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in handlebars. |
Affected by 9 other vulnerabilities. |
|
VCID-rrb5-uk9f-zbc8
Aliases: GHSA-442j-39wm-28r2 |
Handlebars.js has a Property Access Validation Bypass in container.lookup ## Summary In `lib/handlebars/runtime.js`, the `container.lookup()` function uses `container.lookupProperty()` as a gate check to enforce prototype-access controls, but then discards the validated result and performs a second, unguarded property access (`depths[i][name]`). This Time-of-Check Time-of-Use (TOCTOU) pattern means the security check and the actual read are decoupled, and the raw access bypasses any sanitization that `lookupProperty` may perform. Only relevant when the **compat** compile option is enabled (`{compat: true}`), which activates `depthedLookup` in `lib/handlebars/compiler/javascript-compiler.js`. ## Description The vulnerable code in `lib/handlebars/runtime.js` (lines 137–144): ```javascript lookup: function (depths, name) { const len = depths.length; for (let i = 0; i < len; i++) { let result = depths[i] && container.lookupProperty(depths[i], name); if (result != null) { return depths[i][name]; // BUG: should be `return result;` } } }, ``` `container.lookupProperty()` (lines 119–136) enforces `hasOwnProperty` checks and `resultIsAllowed()` prototype-access controls. However, `container.lookup()` only uses `lookupProperty` as a boolean gate — if the gate passes (`result != null`), it then performs an independent, raw `depths[i][name]` access that circumvents any transformation or wrapped value that `lookupProperty` may have returned. ## Workarounds - Avoid enabling `{ compat: true }` when rendering templates that include untrusted data. - Ensure context data objects are plain JSON (no Proxies, no getter-based accessor properties). |
Affected by 0 other vulnerabilities. |
|
VCID-s9ab-ntdt-vkgd
Aliases: GHSA-g9r4-xpmj-mj65 GMS-2020-729 |
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in handlebars. |
Affected by 9 other vulnerabilities. |
|
VCID-uv5v-22z9-fbfg
Aliases: GHSA-2cf5-4w76-r9qv GMS-2020-727 |
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in handlebars. |
Affected by 12 other vulnerabilities. |
|
VCID-xxez-8xav-cfdz
Aliases: CVE-2021-23369 GHSA-f2jv-r9rf-7988 |
Remote code execution in handlebars when compiling templates The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an untrusted source. This vulnerability has been assigned the CVE identifier CVE-2021-23369. |
Affected by 8 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||