CVE-2021-23369

MEDIUM

Handlebars < 4.7.7 - Remote Code Execution

Title source: rule

Description

The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an untrusted source.

Exploits (2)

nomisec WORKING POC 1 stars

by fazilbaig1 · poc

https://github.com/fazilbaig1/CVE-2021-23369

View Code ZIP pw:eip

nomisec WORKING POC

by dinhvaren · poc

https://github.com/dinhvaren/cve-2021-23369

View Code ZIP pw:eip

References (7)

[Patch, Third Party Advisory] https://github.com/handlebars-lang/handlebars.js/commit/b6d3de7123eebba603e321f04afdbae608e8fea8

[Patch, Third Party Advisory] https://github.com/handlebars-lang/handlebars.js/commit/f0589701698268578199be25285b2ebea1c1e427

[Third Party Advisory] https://security.netapp.com/advisory/ntap-20210604-0008/

[Exploit, Third Party Advisory] https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074950

[Exploit, Third Party Advisory] https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074951

[Exploit, Third Party Advisory] https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074952

[Exploit, Third Party Advisory] https://snyk.io/vuln/SNYK-JS-HANDLEBARS-1056767

Scores

CVSS v3 5.6

EPSS 0.0181

EPSS Percentile 82.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

Details

Status published

Products (5)

handlebarsjs/handlebars < 4.7.7

npm/handlebars 0 - 4.7.7npm

org.webjars/handlebars 0 - 4.7.7Maven

org.webjars.bowergithub.wycats/handlebars.js 0 - 4.7.7Maven

org.webjars.npm/handlebars 0 - 4.7.7Maven

Published Apr 12, 2021

Tracked Since Feb 18, 2026