At the beginning of the year, we were notified by npm-security about a vulnerablity that allowed template creators to execute arbitrary JavaScript code.
By accessing the object's constructor, it is possible to fabricate arbitrary and execute Functions.
In an environment, where Handlebars is executed in a NodeJS environment, this means that anybody who can modify Handlebars templates, can also access the file system, spawn sub-processes and open network connections from the NodeJS-server.
The vulnerabilty has been fixed in version 4.0.13 and 4.1.0 by forbidding access to the constructor.
So far, we have not been able to reproduce the vulnerability with 3.x versions.
https://www.npmjs.com/advisories/755
At the beginning of the year, we were notified by npm-security about a vulnerablity that allowed template creators to execute arbitrary JavaScript code.
By accessing the object's constructor, it is possible to fabricate arbitrary and execute Functions.
In an environment, where Handlebars is executed in a NodeJS environment, this means that anybody who can modify Handlebars templates, can also access the file system, spawn sub-processes and open network connections from the NodeJS-server.
The vulnerabilty has been fixed in version
4.0.13and4.1.0by forbidding access to the constructor.So far, we have not been able to reproduce the vulnerability with 3.x versions.
https://www.npmjs.com/advisories/755