VulnerableCode Package Details - pkg:npm/handlebars@3.0.8

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-f5rz-dtuy-bbgx	Prototype Pollution in handlebars Versions of `handlebars` prior to 3.0.8 or 4.5.3 are vulnerable to prototype pollution. It is possible to add or modify properties to the Object prototype through a malicious template. This may allow attackers to crash the application or execute Arbitrary Code in specific conditions. ## Recommendation Upgrade to version 3.0.8, 4.5.3 or later.	GHSA-g9r4-xpmj-mj65
VCID-kyw8-zzpv-67c1	Prototype Pollution in handlebars Versions of `handlebars` prior to 3.0.8 or 4.3.0 are vulnerable to Prototype Pollution leading to Remote Code Execution. Templates may alter an Objects' `__proto__` and `__defineGetter__` properties, which may allow an attacker to execute arbitrary code through crafted payloads. ## Recommendation Upgrade to version 3.0.8, 4.3.0 or later.	CVE-2019-19919 GHSA-w457-6q6x-cgp9
VCID-wkcp-xswz-t3d9	Arbitrary Code Execution in handlebars Versions of `handlebars` prior to 3.0.8 or 4.5.3 are vulnerable to Arbitrary Code Execution. The package's lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript in the system. It is due to an incomplete fix for a [previous issue](https://www.npmjs.com/advisories/1316). This vulnerability can be used to run arbitrary code in a server processing Handlebars templates or on a victim's browser (effectively serving as Cross-Site Scripting). ## Recommendation Upgrade to version 3.0.8, 4.5.3 or later.	GHSA-q2c6-c6pm-g3gh
VCID-x86m-h2at-37am	Arbitrary Code Execution in Handlebars Handlebars before 3.0.8 and 4.x before 4.5.3 is vulnerable to Arbitrary Code Execution. The lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript. This can be used to run arbitrary code on a server processing Handlebars templates or in a victim's browser (effectively serving as XSS).	CVE-2019-20920 GHSA-3cqr-58rm-57f8
VCID-xcuy-x2xk-6ya9	Arbitrary Code Execution in handlebars Versions of `handlebars` prior to 3.0.8 or 4.5.2 are vulnerable to Arbitrary Code Execution. The package's lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript in the system. It can be used to run arbitrary code in a server processing Handlebars templates or on a victim's browser (effectively serving as Cross-Site Scripting). The following template can be used to demonstrate the vulnerability: ```{{#with "constructor"}} {{#with split as \|a\|}} {{pop (push "alert('Vulnerable Handlebars JS');")}} {{#with (concat (lookup join (slice 0 1)))}} {{#each (slice 2 3)}} {{#with (apply 0 a)}} {{.}} {{/with}} {{/each}} {{/with}} {{/with}} {{/with}}``` ## Recommendation Upgrade to version 3.0.8, 4.5.2 or later.	GHSA-2cf5-4w76-r9qv

Vulnerability

Summary

Aliases

VCID-f5rz-dtuy-bbgx

Prototype Pollution in handlebars Versions of `handlebars` prior to 3.0.8 or 4.5.3 are vulnerable to prototype pollution. It is possible to add or modify properties to the Object prototype through a malicious template. This may allow attackers to crash the application or execute Arbitrary Code in specific conditions. ## Recommendation Upgrade to version 3.0.8, 4.5.3 or later.

GHSA-g9r4-xpmj-mj65

VCID-kyw8-zzpv-67c1

Prototype Pollution in handlebars Versions of `handlebars` prior to 3.0.8 or 4.3.0 are vulnerable to Prototype Pollution leading to Remote Code Execution. Templates may alter an Objects' `__proto__` and `__defineGetter__` properties, which may allow an attacker to execute arbitrary code through crafted payloads. ## Recommendation Upgrade to version 3.0.8, 4.3.0 or later.

CVE-2019-19919
GHSA-w457-6q6x-cgp9

VCID-wkcp-xswz-t3d9

Arbitrary Code Execution in handlebars Versions of `handlebars` prior to 3.0.8 or 4.5.3 are vulnerable to Arbitrary Code Execution. The package's lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript in the system. It is due to an incomplete fix for a [previous issue](https://www.npmjs.com/advisories/1316). This vulnerability can be used to run arbitrary code in a server processing Handlebars templates or on a victim's browser (effectively serving as Cross-Site Scripting). ## Recommendation Upgrade to version 3.0.8, 4.5.3 or later.

GHSA-q2c6-c6pm-g3gh

VCID-x86m-h2at-37am

Arbitrary Code Execution in Handlebars Handlebars before 3.0.8 and 4.x before 4.5.3 is vulnerable to Arbitrary Code Execution. The lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript. This can be used to run arbitrary code on a server processing Handlebars templates or in a victim's browser (effectively serving as XSS).

CVE-2019-20920
GHSA-3cqr-58rm-57f8

VCID-xcuy-x2xk-6ya9

Arbitrary Code Execution in handlebars Versions of `handlebars` prior to 3.0.8 or 4.5.2 are vulnerable to Arbitrary Code Execution. The package's lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript in the system. It can be used to run arbitrary code in a server processing Handlebars templates or on a victim's browser (effectively serving as Cross-Site Scripting). The following template can be used to demonstrate the vulnerability: ```{{#with "constructor"}} {{#with split as |a|}} {{pop (push "alert('Vulnerable Handlebars JS');")}} {{#with (concat (lookup join (slice 0 1)))}} {{#each (slice 2 3)}} {{#with (apply 0 a)}} {{.}} {{/with}} {{/each}} {{/with}} {{/with}} {{/with}}``` ## Recommendation Upgrade to version 3.0.8, 4.5.2 or later.

GHSA-2cf5-4w76-r9qv

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2025-07-01T12:24:13.148992+00:00	GithubOSV Importer	Fixing	VCID-x86m-h2at-37am	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-3cqr-58rm-57f8/GHSA-3cqr-58rm-57f8.json	36.1.3
2025-07-01T12:21:56.262892+00:00	GithubOSV Importer	Fixing	VCID-kyw8-zzpv-67c1	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/12/GHSA-w457-6q6x-cgp9/GHSA-w457-6q6x-cgp9.json	36.1.3
2025-07-01T12:16:45.268703+00:00	GithubOSV Importer	Fixing	VCID-xcuy-x2xk-6ya9	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-2cf5-4w76-r9qv/GHSA-2cf5-4w76-r9qv.json	36.1.3
2025-07-01T12:16:37.832499+00:00	GithubOSV Importer	Fixing	VCID-f5rz-dtuy-bbgx	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-g9r4-xpmj-mj65/GHSA-g9r4-xpmj-mj65.json	36.1.3
2025-07-01T12:16:31.160659+00:00	GithubOSV Importer	Fixing	VCID-wkcp-xswz-t3d9	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-q2c6-c6pm-g3gh/GHSA-q2c6-c6pm-g3gh.json	36.1.3