Prototype Pollution

Affecting handlebars package, versions <4.0.13

Overview

handlebars is an extension to the Mustache templating language.

Affected versions of this package are vulnerable to Prototype Pollution. Templates may alter an Objects' prototype, thus allowing an attacker to execute arbitrary code on the server.

Remediation

Upgrade handlebars to version 4.0.13 or higher.

References

Do your applications use this vulnerable package?

CVSS Score

7.3
high severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    Low
  • Integrity
    Low
  • Availability
    Low
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Credit
Mahmoud Gamal, Matias Lang
CWE
CWE-471
Snyk ID
SNYK-JS-HANDLEBARS-173692
Disclosed
28 Dec, 2018
Published
14 Feb, 2019