VulnerableCode Package Details - pkg:npm/handlebars@4.7.8

Staging Environment: Content and features may be unstable or change without notice.

Search for packages

Package details: pkg:npm/handlebars@4.7.8

Essentials
History (8)

purl	pkg:npm/handlebars@4.7.8

Next non-vulnerable version	4.7.9
Latest non-vulnerable version	4.7.9
Risk	4.5

Vulnerabilities affecting this package (8)

Vulnerability	Summary	Fixed by
VCID-2r9d-e4z2-ckbh Aliases: CVE-2026-33916 GHSA-2qvq-rjwj-gvw9	handlebars.js: Handlebars: Cross-Site Scripting (XSS) via prototype pollution in partial resolution	4.7.9 Affected by 0 other vulnerabilities.
VCID-4e4r-qabs-cbg7 Aliases: CVE-2026-33941 GHSA-xjpj-3mr7-gcpf	handlebars.js: Handlebars: Arbitrary code execution via CLI precompiler input sanitization flaw	4.7.9 Affected by 0 other vulnerabilities.
VCID-4sp5-ymgy-qfg4 Aliases: CVE-2026-33937 GHSA-2w6w-674q-4c4q	handlebars.js: Handlebars: Remote Code Execution via crafted Abstract Syntax Tree object in compile()	4.7.9 Affected by 0 other vulnerabilities.
VCID-81p2-vehj-hub1 Aliases: CVE-2026-33940 GHSA-xhpv-hc6g-r9c6	handlebars.js: Handlebars.js: Arbitrary code execution via crafted template context	4.7.9 Affected by 0 other vulnerabilities.
VCID-bkew-8c9k-mbh2 Aliases: CVE-2026-33938 GHSA-3mfm-83xf-c92r	handlebars: Handlebars: Arbitrary code execution via @partial-block overwrite	4.7.9 Affected by 0 other vulnerabilities.
VCID-cxf4-xmgb-aue5 Aliases: CVE-2026-33939 GHSA-9cx6-37pm-9jff	handlebars.js: Handlebars.js: Denial of Service via malformed decorator syntax in template compilation	4.7.9 Affected by 0 other vulnerabilities.
VCID-rrb5-uk9f-zbc8 Aliases: GHSA-442j-39wm-28r2	Handlebars.js has a Property Access Validation Bypass in container.lookup ## Summary In `lib/handlebars/runtime.js`, the `container.lookup()` function uses `container.lookupProperty()` as a gate check to enforce prototype-access controls, but then discards the validated result and performs a second, unguarded property access (`depths[i][name]`). This Time-of-Check Time-of-Use (TOCTOU) pattern means the security check and the actual read are decoupled, and the raw access bypasses any sanitization that `lookupProperty` may perform. Only relevant when the compat compile option is enabled (`{compat: true}`), which activates `depthedLookup` in `lib/handlebars/compiler/javascript-compiler.js`. ## Description The vulnerable code in `lib/handlebars/runtime.js` (lines 137–144): ```javascript lookup: function (depths, name) { const len = depths.length; for (let i = 0; i < len; i++) { let result = depths[i] && container.lookupProperty(depths[i], name); if (result != null) { return depths[i][name]; // BUG: should be `return result;` } } }, ``` `container.lookupProperty()` (lines 119–136) enforces `hasOwnProperty` checks and `resultIsAllowed()` prototype-access controls. However, `container.lookup()` only uses `lookupProperty` as a boolean gate — if the gate passes (`result != null`), it then performs an independent, raw `depths[i][name]` access that circumvents any transformation or wrapped value that `lookupProperty` may have returned. ## Workarounds - Avoid enabling `{ compat: true }` when rendering templates that include untrusted data. - Ensure context data objects are plain JSON (no Proxies, no getter-based accessor properties).	4.7.9 Affected by 0 other vulnerabilities.
VCID-yv4k-1q7a-wqee Aliases: GHSA-7rx3-28cr-v5wh	Handlebars.js has a Prototype Method Access Control Gap via Missing __lookupSetter__ Blocklist Entry ## Summary The prototype method blocklist in `lib/handlebars/internal/proto-access.js` blocks `constructor`, `__defineGetter__`, `__defineSetter__`, and `__lookupGetter__`, but omits the symmetric `__lookupSetter__`. This omission is only exploitable when the non-default runtime option `allowProtoMethodsByDefault: true` is explicitly set — in that configuration `__lookupSetter__` becomes accessible while its counterparts remain blocked, creating an inconsistent security boundary. `4.6.0` is the version that introduced `protoAccessControl` and the `allowProtoMethodsByDefault` runtime option. ## Description In `lib/handlebars/internal/proto-access.js`: ```javascript const methodWhiteList = Object.create(null); methodWhiteList['constructor'] = false; methodWhiteList['__defineGetter__'] = false; methodWhiteList['__defineSetter__'] = false; methodWhiteList['__lookupGetter__'] = false; // __lookupSetter__ intentionally blocked in CVE-2021-23383, // but omitted here — creating an asymmetric blocklist ``` All four legacy accessor helpers (`__defineGetter__`, `__defineSetter__`, `__lookupGetter__`, `__lookupSetter__`) were involved in the exploit chain addressed by CVE-2021-23383. Three of the four were explicitly blocked; `__lookupSetter__` was left out. When `allowProtoMethodsByDefault: true` is set, any prototype method not present in `methodWhiteList` is permitted by default. Because `__lookupSetter__` is absent from the list, it passes the `checkWhiteList` check and is accessible in templates, while `__lookupGetter__` (its sibling) is correctly denied. ## Workarounds - Do not set `allowProtoMethodsByDefault: true`. The default configuration is not affected. - If `allowProtoMethodsByDefault` must be enabled, ensure templates do not reference `__lookupSetter__` through untrusted input.	4.7.9 Affected by 0 other vulnerabilities.

Vulnerabilities fixed by this package (0)

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-06T07:38:02.039410+00:00	GitLab Importer	Affected by	VCID-rrb5-uk9f-zbc8	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/handlebars/GHSA-442j-39wm-28r2.yml	38.6.0
2026-06-06T07:38:01.771379+00:00	GitLab Importer	Affected by	VCID-yv4k-1q7a-wqee	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/handlebars/GHSA-7rx3-28cr-v5wh.yml	38.6.0
2026-06-06T07:37:39.166397+00:00	GitLab Importer	Affected by	VCID-bkew-8c9k-mbh2	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/handlebars/CVE-2026-33938.yml	38.6.0
2026-06-06T07:37:37.393289+00:00	GitLab Importer	Affected by	VCID-4e4r-qabs-cbg7	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/handlebars/CVE-2026-33941.yml	38.6.0
2026-06-06T07:37:25.786298+00:00	GitLab Importer	Affected by	VCID-4sp5-ymgy-qfg4	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/handlebars/CVE-2026-33937.yml	38.6.0
2026-06-06T07:37:21.762119+00:00	GitLab Importer	Affected by	VCID-81p2-vehj-hub1	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/handlebars/CVE-2026-33940.yml	38.6.0
2026-06-06T07:37:15.894791+00:00	GitLab Importer	Affected by	VCID-cxf4-xmgb-aue5	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/handlebars/CVE-2026-33939.yml	38.6.0
2026-06-06T07:36:12.553916+00:00	GitLab Importer	Affected by	VCID-2r9d-e4z2-ckbh	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/handlebars/CVE-2026-33916.yml	38.6.0