VulnerableCode Package Details - pkg:npm/handlebars@4.5.3

Staging Environment: Content and features may be unstable or change without notice.

Search for packages

Package details: pkg:npm/handlebars@4.5.3

Essentials
History (19)

purl	pkg:npm/handlebars@4.5.3

Next non-vulnerable version	4.7.9
Latest non-vulnerable version	4.7.9
Risk	4.5

Vulnerabilities affecting this package (9)

Vulnerability	Summary	Fixed by
VCID-2r9d-e4z2-ckbh Aliases: CVE-2026-33916 GHSA-2qvq-rjwj-gvw9	handlebars.js: Handlebars: Cross-Site Scripting (XSS) via prototype pollution in partial resolution	4.7.9 Affected by 0 other vulnerabilities.
VCID-3ej8-4wrb-dqed Aliases: CVE-2021-23383 GHSA-765h-qjxv-5f44	Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') The package handlebars before 4.7.7 are vulnerable to Prototype Pollution when selecting certain compiling options to compile templates coming from an untrusted source.	4.7.7 Affected by 8 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-4e4r-qabs-cbg7 Aliases: CVE-2026-33941 GHSA-xjpj-3mr7-gcpf	handlebars.js: Handlebars: Arbitrary code execution via CLI precompiler input sanitization flaw	4.7.9 Affected by 0 other vulnerabilities.
VCID-4sp5-ymgy-qfg4 Aliases: CVE-2026-33937 GHSA-2w6w-674q-4c4q	handlebars.js: Handlebars: Remote Code Execution via crafted Abstract Syntax Tree object in compile()	4.7.9 Affected by 0 other vulnerabilities.
VCID-81p2-vehj-hub1 Aliases: CVE-2026-33940 GHSA-xhpv-hc6g-r9c6	handlebars.js: Handlebars.js: Arbitrary code execution via crafted template context	4.7.9 Affected by 0 other vulnerabilities.
VCID-bkew-8c9k-mbh2 Aliases: CVE-2026-33938 GHSA-3mfm-83xf-c92r	handlebars: Handlebars: Arbitrary code execution via @partial-block overwrite	4.7.9 Affected by 0 other vulnerabilities.
VCID-cxf4-xmgb-aue5 Aliases: CVE-2026-33939 GHSA-9cx6-37pm-9jff	handlebars.js: Handlebars.js: Denial of Service via malformed decorator syntax in template compilation	4.7.9 Affected by 0 other vulnerabilities.
VCID-rrb5-uk9f-zbc8 Aliases: GHSA-442j-39wm-28r2	Handlebars.js has a Property Access Validation Bypass in container.lookup ## Summary In `lib/handlebars/runtime.js`, the `container.lookup()` function uses `container.lookupProperty()` as a gate check to enforce prototype-access controls, but then discards the validated result and performs a second, unguarded property access (`depths[i][name]`). This Time-of-Check Time-of-Use (TOCTOU) pattern means the security check and the actual read are decoupled, and the raw access bypasses any sanitization that `lookupProperty` may perform. Only relevant when the compat compile option is enabled (`{compat: true}`), which activates `depthedLookup` in `lib/handlebars/compiler/javascript-compiler.js`. ## Description The vulnerable code in `lib/handlebars/runtime.js` (lines 137–144): ```javascript lookup: function (depths, name) { const len = depths.length; for (let i = 0; i < len; i++) { let result = depths[i] && container.lookupProperty(depths[i], name); if (result != null) { return depths[i][name]; // BUG: should be `return result;` } } }, ``` `container.lookupProperty()` (lines 119–136) enforces `hasOwnProperty` checks and `resultIsAllowed()` prototype-access controls. However, `container.lookup()` only uses `lookupProperty` as a boolean gate — if the gate passes (`result != null`), it then performs an independent, raw `depths[i][name]` access that circumvents any transformation or wrapped value that `lookupProperty` may have returned. ## Workarounds - Avoid enabling `{ compat: true }` when rendering templates that include untrusted data. - Ensure context data objects are plain JSON (no Proxies, no getter-based accessor properties).	4.7.9 Affected by 0 other vulnerabilities.
VCID-xxez-8xav-cfdz Aliases: CVE-2021-23369 GHSA-f2jv-r9rf-7988	Remote code execution in handlebars when compiling templates The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an untrusted source. This vulnerability has been assigned the CVE identifier CVE-2021-23369.	4.7.7 Affected by 8 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}

Vulnerabilities fixed by this package (3)

Vulnerability	Summary	Aliases
VCID-7c3a-mqkm-3ycc	Improper Control of Generation of Code ('Code Injection') Handlebars before 3.0.8 and 4.x before 4.5.3 is vulnerable to Arbitrary Code Execution. The lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript. This can be used to run arbitrary code on a server processing Handlebars templates or in a victim's browser (effectively serving as XSS).	CVE-2019-20920 GHSA-3cqr-58rm-57f8
VCID-q9rt-jtx1-hybx	Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in handlebars.	GHSA-q2c6-c6pm-g3gh GMS-2020-730
VCID-s9ab-ntdt-vkgd	Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in handlebars.	GHSA-g9r4-xpmj-mj65 GMS-2020-729

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-06T23:31:56.113860+00:00	GHSA Importer	Affected by	VCID-xxez-8xav-cfdz	https://github.com/advisories/GHSA-f2jv-r9rf-7988	38.6.0
2026-06-06T07:38:02.017941+00:00	GitLab Importer	Affected by	VCID-rrb5-uk9f-zbc8	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/handlebars/GHSA-442j-39wm-28r2.yml	38.6.0
2026-06-06T07:37:39.148653+00:00	GitLab Importer	Affected by	VCID-bkew-8c9k-mbh2	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/handlebars/CVE-2026-33938.yml	38.6.0
2026-06-06T07:37:37.373330+00:00	GitLab Importer	Affected by	VCID-4e4r-qabs-cbg7	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/handlebars/CVE-2026-33941.yml	38.6.0
2026-06-06T07:37:25.765876+00:00	GitLab Importer	Affected by	VCID-4sp5-ymgy-qfg4	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/handlebars/CVE-2026-33937.yml	38.6.0
2026-06-06T07:37:21.741741+00:00	GitLab Importer	Affected by	VCID-81p2-vehj-hub1	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/handlebars/CVE-2026-33940.yml	38.6.0
2026-06-06T07:37:15.874969+00:00	GitLab Importer	Affected by	VCID-cxf4-xmgb-aue5	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/handlebars/CVE-2026-33939.yml	38.6.0
2026-06-06T07:36:12.532774+00:00	GitLab Importer	Affected by	VCID-2r9d-e4z2-ckbh	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/handlebars/CVE-2026-33916.yml	38.6.0
2026-06-06T01:27:04.366674+00:00	GitLab Importer	Affected by	VCID-3ej8-4wrb-dqed	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/handlebars/CVE-2021-23383.yml	38.6.0
2026-06-05T21:19:41.851003+00:00	GHSA Importer	Fixing	VCID-7c3a-mqkm-3ycc	https://github.com/advisories/GHSA-3cqr-58rm-57f8	38.6.0
2026-06-05T21:13:56.126784+00:00	GHSA Importer	Fixing	VCID-q9rt-jtx1-hybx	https://github.com/advisories/GHSA-q2c6-c6pm-g3gh	38.6.0
2026-06-05T21:13:55.909616+00:00	GHSA Importer	Fixing	VCID-s9ab-ntdt-vkgd	https://github.com/advisories/GHSA-g9r4-xpmj-mj65	38.6.0
2026-06-04T20:50:30.719583+00:00	GitLab Importer	Affected by	VCID-xxez-8xav-cfdz	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/handlebars/CVE-2021-23369.yml	38.6.0
2026-06-04T17:50:00.400566+00:00	GithubOSV Importer	Fixing	VCID-7c3a-mqkm-3ycc	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-3cqr-58rm-57f8/GHSA-3cqr-58rm-57f8.json	38.6.0
2026-06-04T17:22:10.163676+00:00	GithubOSV Importer	Fixing	VCID-s9ab-ntdt-vkgd	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-g9r4-xpmj-mj65/GHSA-g9r4-xpmj-mj65.json	38.6.0
2026-06-04T17:21:54.141497+00:00	GithubOSV Importer	Fixing	VCID-q9rt-jtx1-hybx	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-q2c6-c6pm-g3gh/GHSA-q2c6-c6pm-g3gh.json	38.6.0
2026-06-04T16:20:23.256896+00:00	GitLab Importer	Fixing	VCID-q9rt-jtx1-hybx	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/handlebars/GMS-2020-730.yml	38.6.0
2026-06-04T16:20:22.225519+00:00	GitLab Importer	Fixing	VCID-s9ab-ntdt-vkgd	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/handlebars/GMS-2020-729.yml	38.6.0
2026-06-02T04:41:32.633146+00:00	GitLab Importer	Fixing	VCID-7c3a-mqkm-3ycc	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/handlebars/CVE-2019-20920.yml	38.6.0