Prototype Pollution in handlebars

GHSA-q42p-pg8m-cqh6

Published Jun 5, 2019 · Modified Feb 4, 2026

Description

Versions of handlebars prior to 4.0.14 are vulnerable to Prototype Pollution. Templates may alter an Objects' prototype, thus allowing an attacker to execute arbitrary code on the server.

Recommendation

For handlebars 4.1.x upgrade to 4.1.2 or later.
For handlebars 4.0.x upgrade to 4.0.14 or later.

References

WEB https://github.com/handlebars-lang/handlebars.js/issues/1495
WEB https://github.com/handlebars-lang/handlebars.js/commit/0d6d8c335ad81bad1b672fc56b6a44f6aa472dac
WEB https://github.com/handlebars-lang/handlebars.js/commit/7372d4e9dffc9d70c09671aa28b9392a1577fd86
WEB https://github.com/handlebars-lang/handlebars.js/commit/85c8783b34fc6d36145d8b53885ad0b9e3c3f9c4
WEB https://github.com/handlebars-lang/handlebars.js/commit/cd38583216dce3252831916323202749431c773e
WEB https://snyk.io/vuln/SNYK-JS-HANDLEBARS-173692
WEB https://www.npmjs.com/advisories/755

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes