VulnerableCode Package Details - pkg:npm/handlebars@4.1.1

Staging Environment: Content and features may be unstable or change without notice.

Search for packages

Package details: pkg:npm/handlebars@4.1.1

Essentials
History (7)

purl	pkg:npm/handlebars@4.1.1

Next non-vulnerable version	4.7.7
Latest non-vulnerable version	4.7.9
Risk	4.5

Vulnerabilities affecting this package (7)

Vulnerability	Summary	Fixed by
VCID-25sr-kapq-dbea Aliases: GHSA-f52g-6jhx-586p GMS-2020-728	Denial of Service in handlebars Affected versions of `handlebars` are vulnerable to Denial of Service. The package's parser may be forced into an endless loop while processing specially-crafted templates. This may allow attackers to exhaust system resources leading to Denial of Service. ## Recommendation Upgrade to version 4.4.5 or later.	4.4.5 Affected by 4 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-f1td-t6kf-wfcm Aliases: GHSA-q42p-pg8m-cqh6 GMS-2019-126	Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in handlebars.	4.1.2 Affected by 6 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-nhz2-v28w-gye1 Aliases: CVE-2019-19919 GHSA-w457-6q6x-cgp9	Prototype Pollution in handlebars The bootstrap-wysihtml5-rails gem includes the vendored JavaScript library 'handlebars.js'. Versions 0.3.3.7-0.3.3.8 include handlebars 3.0.2, and versions 0.3.3.5-0.3.3.6 include handlebars 1.3.0. Versions Affected: 0.3.3.5-0.3.3.8 Not affected: < 0.3.3.5 Fixed Versions: None Versions of handlebars prior to 3.0.8 or 4.3.0 are vulnerable to Prototype Pollution leading to Remote Code Execution. Templates may alter an Objects' __proto__ and __defineGetter__ properties, which may allow an attacker to execute arbitrary code through crafted payloads.	4.3.0 Affected by 5 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-q9rt-jtx1-hybx Aliases: GHSA-q2c6-c6pm-g3gh GMS-2020-730	Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in handlebars.	4.5.3 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-s9ab-ntdt-vkgd Aliases: GHSA-g9r4-xpmj-mj65 GMS-2020-729	Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in handlebars.	4.5.3 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-uv5v-22z9-fbfg Aliases: GHSA-2cf5-4w76-r9qv GMS-2020-727	Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in handlebars.	4.5.2 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-xxez-8xav-cfdz Aliases: CVE-2021-23369 GHSA-f2jv-r9rf-7988	Remote code execution in handlebars when compiling templates The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an untrusted source. This vulnerability has been assigned the CVE identifier CVE-2021-23369.	4.7.7 Affected by 0 other vulnerabilities.

Vulnerabilities fixed by this package (0)

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-04T20:50:30.678757+00:00	GitLab Importer	Affected by	VCID-xxez-8xav-cfdz	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/handlebars/CVE-2021-23369.yml	38.6.0
2026-06-04T20:38:24.005989+00:00	GitLab Importer	Affected by	VCID-uv5v-22z9-fbfg	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/handlebars/GMS-2020-727.yml	38.6.0
2026-06-04T20:38:12.340740+00:00	GitLab Importer	Affected by	VCID-q9rt-jtx1-hybx	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/handlebars/GMS-2020-730.yml	38.6.0
2026-06-04T20:37:53.472028+00:00	GitLab Importer	Affected by	VCID-s9ab-ntdt-vkgd	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/handlebars/GMS-2020-729.yml	38.6.0
2026-06-04T20:36:34.221721+00:00	GitLab Importer	Affected by	VCID-25sr-kapq-dbea	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/handlebars/GMS-2020-728.yml	38.6.0
2026-06-04T20:26:11.789795+00:00	GitLab Importer	Affected by	VCID-nhz2-v28w-gye1	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/handlebars/CVE-2019-19919.yml	38.6.0
2026-06-04T20:22:22.516322+00:00	GitLab Importer	Affected by	VCID-f1td-t6kf-wfcm	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/handlebars/GMS-2019-126.yml	38.6.0