CVE-2021-23369
published 2021-04-12CVE-2021-23369: The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an…
PriorityP359critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
7.03%
93.4th percentile
The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an untrusted source.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | node-handlebars | < node-handlebars 3:4.7.6+~4.1.0-2 (bookworm) | node-handlebars 3:4.7.6+~4.1.0-2 (bookworm) |
| handlebarsjs | handlebars | < 4.7.7 | 4.7.7 |
| handlebarsjs | handlebars | >= 0 < 4.7.7 | 4.7.7 |
| handlebarsjs | handlebars | >= 4.0.0 < 4.7.9 | 4.7.9 |
| handlebarsjs | handlebars | >= unspecified < 4.7.7 | 4.7.7 |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
ghsa9.8CRITICAL
osv9.8CRITICAL
vendor_oracle9.8MEDIUM
vendor_debian5.6MEDIUM
vendor_redhat5.6MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Oracle
Oracle Oracle Fusion Middleware Risk Matrix: Samples (handlebars) — CVE-2021-23369
vendor_oracle·2024-04-15·CVSS 9.8
CVE-2021-23369 [MEDIUM] Oracle Oracle Fusion Middleware Risk Matrix: Samples (handlebars) — CVE-2021-23369
Oracle Oracle Fusion Middleware Risk Matrix: Samples (handlebars) vulnerability
CVE: CVE-2021-23369
CVSS: 9.8
Protocol: HTTP
Remote exploit: Yes
Affected versions: Network
Advisory: cpuapr2024 (APR 2024)
Red Hat
nodejs-handlebars: Remote code execution when compiling untrusted compile templates with strict:true option
vendor_redhat·2021-04-12·CVSS 5.6
CVE-2021-23369 [MEDIUM] CWE-94 nodejs-handlebars: Remote code execution when compiling untrusted compile templates with strict:true option
nodejs-handlebars: Remote code execution when compiling untrusted compile templates with strict:true option
The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an untrusted source.
A flaw was found in nodejs-handlebars. A missing check when getting prototype properties in the template function allows an attacker, who can provide untrusted handlebars templates, to execute arbitrary code in the javascript system (e.g. browser or server) when the template is compiled with the strict:true option. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Statement: Red Hat OpenShift Container Platform (OCP) 4 delivers the kibana pac
Debian
CVE-2021-23369: node-handlebars - The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE...
vendor_debian·2021·CVSS 5.6
CVE-2021-23369 [MEDIUM] CVE-2021-23369: node-handlebars - The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE...
The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an untrusted source.
Scope: local
bookworm: resolved (fixed in 3:4.7.6+~4.1.0-2)
bullseye: resolved (fixed in 3:4.7.6+~4.1.0-2)
forky: resolved (fixed in 3:4.7.6+~4.1.0-2)
sid: resolved (fixed in 3:4.7.6+~4.1.0-2)
trixie: resolved (fixed in 3:4.7.6+~4.1.0-2)
OSV
Handlebars.js has Prototype Pollution Leading to XSS through Partial Template Injection
osv·2026-03-26·CVSS 9.8
CVE-2026-33916 [CRITICAL] Handlebars.js has Prototype Pollution Leading to XSS through Partial Template Injection
Handlebars.js has Prototype Pollution Leading to XSS through Partial Template Injection
## Summary
`resolvePartial()` in the Handlebars runtime resolves partial names via a plain property lookup on `options.partials` without guarding against prototype-chain traversal. When `Object.prototype` has been polluted with a string value whose key matches a partial reference in a template, the polluted string is used as the partial body and rendered **without HTML escaping**, resulting in reflected or stored XSS.
## Description
The root cause is in `lib/handlebars/runtime.js` inside `resolvePartial()` and `invokePartial()`:
```javascript
// Vulnerable: plain bracket access traverses Object.prototype
partial = options.partials[options.name];
```
`hasOwnProperty` is never checked, so if `Object
GHSA
Handlebars.js has Prototype Pollution Leading to XSS through Partial Template Injection
ghsa·2026-03-26·CVSS 9.8
CVE-2026-33916 [CRITICAL] CWE-1321 Handlebars.js has Prototype Pollution Leading to XSS through Partial Template Injection
Handlebars.js has Prototype Pollution Leading to XSS through Partial Template Injection
## Summary
`resolvePartial()` in the Handlebars runtime resolves partial names via a plain property lookup on `options.partials` without guarding against prototype-chain traversal. When `Object.prototype` has been polluted with a string value whose key matches a partial reference in a template, the polluted string is used as the partial body and rendered **without HTML escaping**, resulting in reflected or stored XSS.
## Description
The root cause is in `lib/handlebars/runtime.js` inside `resolvePartial()` and `invokePartial()`:
```javascript
// Vulnerable: plain bracket access traverses Object.prototype
partial = options.partials[options.name];
```
`hasOwnProperty` is never checked, so if `Object
GHSA
Remote code execution in handlebars when compiling templates
ghsa·2021-05-06
CVE-2021-23369 [CRITICAL] CWE-94 Remote code execution in handlebars when compiling templates
Remote code execution in handlebars when compiling templates
The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an untrusted source.
OSV
Remote code execution in handlebars when compiling templates
osv·2021-05-06
CVE-2021-23369 [CRITICAL] Remote code execution in handlebars when compiling templates
Remote code execution in handlebars when compiling templates
The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an untrusted source.
OSV
CVE-2021-23369: The package handlebars before 4
osv·2021-04-12·CVSS 9.8
CVE-2021-23369 [CRITICAL] CVE-2021-23369: The package handlebars before 4
The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an untrusted source.
No detection rules found.
No public exploits indexed.
https://github.com/handlebars-lang/handlebars.js/commit/b6d3de7123eebba603e321f04afdbae608e8fea8https://github.com/handlebars-lang/handlebars.js/commit/f0589701698268578199be25285b2ebea1c1e427https://security.netapp.com/advisory/ntap-20210604-0008/https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074950https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074951https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074952https://snyk.io/vuln/SNYK-JS-HANDLEBARS-1056767https://github.com/handlebars-lang/handlebars.js/commit/b6d3de7123eebba603e321f04afdbae608e8fea8https://github.com/handlebars-lang/handlebars.js/commit/f0589701698268578199be25285b2ebea1c1e427https://security.netapp.com/advisory/ntap-20210604-0008/https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074950https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074951https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074952https://snyk.io/vuln/SNYK-JS-HANDLEBARS-1056767
2021-04-12
Published