CVE-2021-23383
published 2021-05-04CVE-2021-23383: The package handlebars before 4.7.7 are vulnerable to Prototype Pollution when selecting certain compiling options to compile templates coming from an…
PriorityP349critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
4.51%
90.3th percentile
The package handlebars before 4.7.7 are vulnerable to Prototype Pollution when selecting certain compiling options to compile templates coming from an untrusted source.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | node-handlebars | < node-handlebars 3:4.7.6+~4.1.0-2 (bookworm) | node-handlebars 3:4.7.6+~4.1.0-2 (bookworm) |
| handlebarsjs | handlebars | < 4.7.7 | 4.7.7 |
| handlebarsjs | handlebars | >= 0 < 4.7.7 | 4.7.7 |
| handlebarsjs | handlebars | >= 4.0.0 < 4.7.9 | 4.7.9 |
| handlebarsjs | handlebars | >= 4.6.0 < 4.7.9 | 4.7.9 |
| handlebarsjs | handlebars | >= unspecified < 4.7.7 | 4.7.7 |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
ghsa9.8CRITICAL
osv9.8CRITICAL
vendor_debian5.6MEDIUM
vendor_redhat5.6MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
nodejs-handlebars: Remote code execution when compiling untrusted compile templates with compat:true option
vendor_redhat·2021-04-12·CVSS 5.6
CVE-2021-23383 [MEDIUM] CWE-94 nodejs-handlebars: Remote code execution when compiling untrusted compile templates with compat:true option
nodejs-handlebars: Remote code execution when compiling untrusted compile templates with compat:true option
The package handlebars before 4.7.7 are vulnerable to Prototype Pollution when selecting certain compiling options to compile templates coming from an untrusted source.
A flaw was found in nodejs-handlebars. A unescaped value in the JavaScriptCompiler.prototype.depthedLookup function allows an attacker, who can provide untrusted handlebars templates, to execute arbitrary code in the javascript system (e.g. browser or server) when the template is compiled with the compat:true option. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Statement: Red Hat OpenShift Container Platform (OCP) 4 delivers the kibana component
Debian
CVE-2021-23383: node-handlebars - The package handlebars before 4.7.7 are vulnerable to Prototype Pollution when s...
vendor_debian·2021·CVSS 5.6
CVE-2021-23383 [MEDIUM] CVE-2021-23383: node-handlebars - The package handlebars before 4.7.7 are vulnerable to Prototype Pollution when s...
The package handlebars before 4.7.7 are vulnerable to Prototype Pollution when selecting certain compiling options to compile templates coming from an untrusted source.
Scope: local
bookworm: resolved (fixed in 3:4.7.6+~4.1.0-2)
bullseye: resolved (fixed in 3:4.7.6+~4.1.0-2)
forky: resolved (fixed in 3:4.7.6+~4.1.0-2)
sid: resolved (fixed in 3:4.7.6+~4.1.0-2)
trixie: resolved (fixed in 3:4.7.6+~4.1.0-2)
OSV
Handlebars.js has a Prototype Method Access Control Gap via Missing __lookupSetter__ Blocklist Entry
osv·2026-03-29·CVSS 9.8
[CRITICAL] Handlebars.js has a Prototype Method Access Control Gap via Missing __lookupSetter__ Blocklist Entry
Handlebars.js has a Prototype Method Access Control Gap via Missing __lookupSetter__ Blocklist Entry
## Summary
The prototype method blocklist in `lib/handlebars/internal/proto-access.js` blocks `constructor`, `__defineGetter__`, `__defineSetter__`, and `__lookupGetter__`, but omits the symmetric `__lookupSetter__`. This omission is only exploitable when the non-default runtime option `allowProtoMethodsByDefault: true` is explicitly set — in that configuration `__lookupSetter__` becomes accessible while its counterparts remain blocked, creating an inconsistent security boundary.
`4.6.0` is the version that introduced `protoAccessControl` and the `allowProtoMethodsByDefault` runtime option.
## Description
In `lib/handlebars/internal/proto-access.js`:
```javascript
const methodWhiteLis
GHSA
Handlebars.js has a Prototype Method Access Control Gap via Missing __lookupSetter__ Blocklist Entry
ghsa·2026-03-29·CVSS 9.8
[CRITICAL] CWE-1321 Handlebars.js has a Prototype Method Access Control Gap via Missing __lookupSetter__ Blocklist Entry
Handlebars.js has a Prototype Method Access Control Gap via Missing __lookupSetter__ Blocklist Entry
## Summary
The prototype method blocklist in `lib/handlebars/internal/proto-access.js` blocks `constructor`, `__defineGetter__`, `__defineSetter__`, and `__lookupGetter__`, but omits the symmetric `__lookupSetter__`. This omission is only exploitable when the non-default runtime option `allowProtoMethodsByDefault: true` is explicitly set — in that configuration `__lookupSetter__` becomes accessible while its counterparts remain blocked, creating an inconsistent security boundary.
`4.6.0` is the version that introduced `protoAccessControl` and the `allowProtoMethodsByDefault` runtime option.
## Description
In `lib/handlebars/internal/proto-access.js`:
```javascript
const methodWhiteLis
OSV
Handlebars.js has Prototype Pollution Leading to XSS through Partial Template Injection
osv·2026-03-26·CVSS 9.8
CVE-2026-33916 [CRITICAL] Handlebars.js has Prototype Pollution Leading to XSS through Partial Template Injection
Handlebars.js has Prototype Pollution Leading to XSS through Partial Template Injection
## Summary
`resolvePartial()` in the Handlebars runtime resolves partial names via a plain property lookup on `options.partials` without guarding against prototype-chain traversal. When `Object.prototype` has been polluted with a string value whose key matches a partial reference in a template, the polluted string is used as the partial body and rendered **without HTML escaping**, resulting in reflected or stored XSS.
## Description
The root cause is in `lib/handlebars/runtime.js` inside `resolvePartial()` and `invokePartial()`:
```javascript
// Vulnerable: plain bracket access traverses Object.prototype
partial = options.partials[options.name];
```
`hasOwnProperty` is never checked, so if `Object
GHSA
Handlebars.js has Prototype Pollution Leading to XSS through Partial Template Injection
ghsa·2026-03-26·CVSS 9.8
CVE-2026-33916 [CRITICAL] CWE-1321 Handlebars.js has Prototype Pollution Leading to XSS through Partial Template Injection
Handlebars.js has Prototype Pollution Leading to XSS through Partial Template Injection
## Summary
`resolvePartial()` in the Handlebars runtime resolves partial names via a plain property lookup on `options.partials` without guarding against prototype-chain traversal. When `Object.prototype` has been polluted with a string value whose key matches a partial reference in a template, the polluted string is used as the partial body and rendered **without HTML escaping**, resulting in reflected or stored XSS.
## Description
The root cause is in `lib/handlebars/runtime.js` inside `resolvePartial()` and `invokePartial()`:
```javascript
// Vulnerable: plain bracket access traverses Object.prototype
partial = options.partials[options.name];
```
`hasOwnProperty` is never checked, so if `Object
GHSA
Prototype Pollution in handlebars
ghsa·2022-02-10
CVE-2021-23383 [CRITICAL] CWE-1321 Prototype Pollution in handlebars
Prototype Pollution in handlebars
The package handlebars before 4.7.7 are vulnerable to Prototype Pollution when selecting certain compiling options to compile templates coming from an untrusted source.
OSV
Prototype Pollution in handlebars
osv·2022-02-10
CVE-2021-23383 [CRITICAL] Prototype Pollution in handlebars
Prototype Pollution in handlebars
The package handlebars before 4.7.7 are vulnerable to Prototype Pollution when selecting certain compiling options to compile templates coming from an untrusted source.
OSV
CVE-2021-23383: The package handlebars before 4
osv·2021-05-04·CVSS 9.8
CVE-2021-23383 [CRITICAL] CVE-2021-23383: The package handlebars before 4
The package handlebars before 4.7.7 are vulnerable to Prototype Pollution when selecting certain compiling options to compile templates coming from an untrusted source.
No detection rules found.
No public exploits indexed.
Wiz
GHSA-7rx3-28cr-v5wh Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.6
[MEDIUM] GHSA-7rx3-28cr-v5wh Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-7rx3-28cr-v5wh :
Handlebars vulnerability analysis and mitigation
## Summary
lib/handlebars/internal/proto-access.js
constructor
__defineGetter__
__defineSetter__
__lookupGetter__
__lookupSetter__
allowProtoMethodsByDefault: true
__lookupSetter__
4.6.0
protoAccessControl
allowProtoMethodsByDefault
## Description
lib/handlebars/internal/proto-access.js
const methodWhiteList = Object.create(null);
methodWhiteList['constructor'] = false;
methodWhiteList['__defineGetter__'] = false;
methodWhiteList['__defineSetter__'] = false;
methodWhiteList['__lookupGetter__'] = false;
// __lookupSetter__ intentionally blocked in CVE-2021-23383,
// but omitted here — creating an asymmetric blocklist
__defineGetter__
__defineSetter__
__lookupGetter__
__lookupSetter__
__lookupSe
Bugzilla
CVE-2021-23383 nodejs-handlebars: Remote code execution when compiling untrusted compile templates with compat:true option
bugzilla·2021-05-04·CVSS 9.8
CVE-2021-23383 [CRITICAL] CVE-2021-23383 nodejs-handlebars: Remote code execution when compiling untrusted compile templates with compat:true option
CVE-2021-23383 nodejs-handlebars: Remote code execution when compiling untrusted compile templates with compat:true option
The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when using compat compile option to compile templates coming from an untrusted source.
Upstream patch:
https://github.com/handlebars-lang/handlebars.js/commit/f0589701698268578199be25285b2ebea1c1e427
Discussion:
This issue is just about the compat:true option.
---
Created nodejs-handlebars tracking bugs for this issue:
Affects: epel-7 [bug 1956695]
Affects: fedora-32 [bug 1956696]
---
Statement:
Red Hat OpenShift Container Platform (OCP) 4 delivers the kibana package which includes Handlebars.js. From OCP 4.6, the kibana package is no longer shipped and will not be fixed.
The op
https://github.com/handlebars-lang/handlebars.js/commit/f0589701698268578199be25285b2ebea1c1e427https://security.netapp.com/advisory/ntap-20210618-0007/https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1279031https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1279032https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1279030https://snyk.io/vuln/SNYK-JS-HANDLEBARS-1279029https://github.com/handlebars-lang/handlebars.js/commit/f0589701698268578199be25285b2ebea1c1e427https://security.netapp.com/advisory/ntap-20210618-0007/https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1279031https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1279032https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1279030https://snyk.io/vuln/SNYK-JS-HANDLEBARS-1279029
2021-05-04
Published