Handlebars prior to 4.3.0 are vulnerable to Prototype Pollution leading to Remote Code Execution

Created on 8 November 2023, about 1 year ago

Problem/Motivation

Versions of handlebars prior to 4.3.0 are vulnerable to Prototype Pollution leading to Remote Code Execution. Templates may alter an Object's __proto__ and __defineGetter__ properties, which may allow an attacker to execute arbitrary code through crafted payloads.

Supported Links: https://www.npmjs.com/advisories/1164
https://www.tenable.com/security/tns-2021-14

Steps to reproduce

Security risk tools reporting the usage of handlebar js prior to 4.3.0, The CVE number CVE-2019-19919 for handlebar JS security vulnerability exposed.

Proposed resolution

Update handlebar js to its latest version (4.7.8)

🐛 Bug report

Status

Active

Version

3.1

Component

Code

Created by

🇮🇳India kanchamk

Live updates comments and jobs are added and updated live.

Comments & Activities

Issue created by @kanchamk
Comment about 1 year ago →
🇮🇳India kanchamk
Comment about 1 year ago →
🇮🇳India kanchamk
Comment about 1 year ago →
🇮🇳India kanchamk

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024