chore(deps): update dependency handlebars to v4.7.9 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
handlebars (source)	4.6.0 → 4.7.9

---

Remote code execution in handlebars when compiling templates

CVE-2021-23369 / GHSA-f2jv-r9rf-7988

More information

Details

The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an untrusted source.

Severity

• CVSS Score: 9.8 / 10 (Critical)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

• https://nvd.nist.gov/vuln/detail/CVE-2021-23369
• https://github.com/handlebars-lang/handlebars.js/commit/b6d3de7123eebba603e321f04afdbae608e8fea8
• https://github.com/handlebars-lang/handlebars.js/commit/f0589701698268578199be25285b2ebea1c1e427
• https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074950
• https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074951
• https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074952
• https://snyk.io/vuln/SNYK-JS-HANDLEBARS-1056767
• https://security.netapp.com/advisory/ntap-20210604-0008/
• https://github.com/advisories/GHSA-f2jv-r9rf-7988

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Arbitrary Code Execution in Handlebars

CVE-2019-20920 / GHSA-3cqr-58rm-57f8

More information

Details

Handlebars before 3.0.8 and 4.x before 4.5.3 is vulnerable to Arbitrary Code Execution. The lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript. This can be used to run arbitrary code on a server processing Handlebars templates or in a victim's browser (effectively serving as XSS).

Severity

• CVSS Score: 8.1 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:L

References

• https://nvd.nist.gov/vuln/detail/CVE-2019-20920
• https://github.com/handlebars-lang/handlebars.js/commit/d54137810a49939fd2ad01a91a34e182ece4528e
• https://snyk.io/vuln/SNYK-JS-HANDLEBARS-534478
• https://www.npmjs.com/advisories/1316
• https://www.npmjs.com/advisories/1324
• https://www.npmjs.com/package/handlebars
• https://github.com/handlebars-lang/handlebars.js/commit/156061eb7707575293613d7fdf90e2bdaac029ee
• https://github.com/advisories/GHSA-3cqr-58rm-57f8

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Prototype Pollution in handlebars

CVE-2021-23383 / GHSA-765h-qjxv-5f44

More information

Details

The package handlebars before 4.7.7 are vulnerable to Prototype Pollution when selecting certain compiling options to compile templates coming from an untrusted source.

Severity

• CVSS Score: 9.8 / 10 (Critical)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

• https://nvd.nist.gov/vuln/detail/CVE-2021-23383
• https://github.com/handlebars-lang/handlebars.js/commit/f0589701698268578199be25285b2ebea1c1e427
• https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1279031
• https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1279032
• https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1279030
• https://snyk.io/vuln/SNYK-JS-HANDLEBARS-1279029
• https://www.npmjs.com/package/handlebars
• https://security.netapp.com/advisory/ntap-20210618-0007/
• https://github.com/rubysec/ruby-advisory-db/blob/master/gems/handlebars-source/CVE-2021-23383.yml
• https://github.com/advisories/GHSA-765h-qjxv-5f44

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Prototype Pollution in handlebars

GHSA-q42p-pg8m-cqh6

More information

Details

Versions of handlebars prior to 4.0.14 are vulnerable to Prototype Pollution. Templates may alter an Objects' prototype, thus allowing an attacker to execute arbitrary code on the server.

Recommendation

For handlebars 4.1.x upgrade to 4.1.2 or later.
For handlebars 4.0.x upgrade to 4.0.14 or later.

Severity

• CVSS Score: 7.3 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

References

• https://github.com/handlebars-lang/handlebars.js/issues/1495
• https://github.com/handlebars-lang/handlebars.js/commit/7372d4e9dffc9d70c09671aa28b9392a1577fd86
• https://snyk.io/vuln/SNYK-JS-HANDLEBARS-173692
• https://www.npmjs.com/advisories/755
• https://github.com/handlebars-lang/handlebars.js/commit/0d6d8c335ad81bad1b672fc56b6a44f6aa472dac
• https://github.com/handlebars-lang/handlebars.js/commit/85c8783b34fc6d36145d8b53885ad0b9e3c3f9c4
• https://github.com/handlebars-lang/handlebars.js/commit/cd38583216dce3252831916323202749431c773e
• https://github.com/advisories/GHSA-q42p-pg8m-cqh6

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Arbitrary Code Execution in handlebars

GHSA-2cf5-4w76-r9qv

More information

Details

Versions of handlebars prior to 3.0.8 or 4.5.2 are vulnerable to Arbitrary Code Execution. The package's lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript in the system. It can be used to run arbitrary code in a server processing Handlebars templates or on a victim's browser (effectively serving as Cross-Site Scripting).

The following template can be used to demonstrate the vulnerability:

Recommendation

Upgrade to version 3.0.8, 4.5.2 or later.

Severity

• CVSS Score: 7.3 / 10 (High)
• Vector String: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:L

References

• https://www.npmjs.com/advisories/1316
• https://github.com/advisories/GHSA-2cf5-4w76-r9qv

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Prototype Pollution in handlebars

GHSA-g9r4-xpmj-mj65

More information

Details

Versions of handlebars prior to 3.0.8 or 4.5.3 are vulnerable to prototype pollution. It is possible to add or modify properties to the Object prototype through a malicious template. This may allow attackers to crash the application or execute Arbitrary Code in specific conditions.

Recommendation

Upgrade to version 3.0.8, 4.5.3 or later.

Severity

High

References

• https://www.npmjs.com/advisories/1325
• https://github.com/advisories/GHSA-g9r4-xpmj-mj65

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Arbitrary Code Execution in handlebars

GHSA-q2c6-c6pm-g3gh

More information

Details

Versions of handlebars prior to 3.0.8 or 4.5.3 are vulnerable to Arbitrary Code Execution. The package's lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript in the system. It is due to an incomplete fix for a previous issue. This vulnerability can be used to run arbitrary code in a server processing Handlebars templates or on a victim's browser (effectively serving as Cross-Site Scripting).

Recommendation

Upgrade to version 3.0.8, 4.5.3 or later.

Severity

High

References

• https://www.npmjs.com/advisories/1324
• https://github.com/advisories/GHSA-q2c6-c6pm-g3gh

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Handlebars.js has Prototype Pollution Leading to XSS through Partial Template Injection

CVE-2026-33916 / GHSA-2qvq-rjwj-gvw9

More information

Details

Summary

resolvePartial() in the Handlebars runtime resolves partial names via a plain property lookup on options.partials without guarding against prototype-chain traversal. When Object.prototype has been polluted with a string value whose key matches a partial reference in a template, the polluted string is used as the partial body and rendered without HTML escaping, resulting in reflected or stored XSS.

Description

The root cause is in lib/handlebars/runtime.js inside resolvePartial() and invokePartial():

// Vulnerable: plain bracket access traverses Object.prototype
partial = options.partials[options.name];

hasOwnProperty is never checked, so if Object.prototype has been seeded with a key whose name matches a partial reference in the template (e.g. widget), the lookup succeeds and the polluted string is returned. The runtime emits a prototype-access warning, but the partial is still resolved and its content is inserted into the rendered output unescaped. This contradicts the documented security model and is distinct from CVE-2021-23369 and CVE-2021-23383, which addressed data property access rather than partial template resolution.

Prerequisites for exploitation:

1. The target application must be vulnerable to prototype pollution (e.g. via qs, minimist, or
   any querystring/JSON merge sink).
2. The attacker must know or guess the name of a partial reference used in a template.

Proof of Concept

const Handlebars = require('handlebars');

// Step 1: Prototype pollution (via qs, minimist, or another vector)
Object.prototype.widget = '<img src=x onerror="alert(document.domain)">';

// Step 2: Normal template that references a partial
const template = Handlebars.compile('<div>Welcome! {{> widget}}</div>');

// Step 3: Render — XSS payload injected unescaped
const output = template({});
// Output: <div>Welcome! <img src=x onerror="alert(document.domain)"></div>

The runtime prints a prototype access warning claiming "access has been denied," but the partial still resolves and returns the polluted value.

Workarounds

• Apply Object.freeze(Object.prototype) early in application startup to prevent prototype pollution. Note: this may break other libraries.
• Use the Handlebars runtime-only build (handlebars/runtime), which does not compile templates and reduces the attack surface.

Severity

• CVSS Score: 4.7 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

References

• https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-2qvq-rjwj-gvw9
• https://nvd.nist.gov/vuln/detail/CVE-2021-23369
• https://nvd.nist.gov/vuln/detail/CVE-2021-23383
• https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2
• https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9
• https://nvd.nist.gov/vuln/detail/CVE-2026-33916
• https://github.com/advisories/GHSA-2qvq-rjwj-gvw9

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

handlebars-lang/handlebars.js (handlebars)

v4.7.9

Compare Source

• fix: enable shell mode for spawn to resolve Windows EINVAL issue - e0137c2
• fix type "RuntimeOptions" also accepting string partials - eab1d14
• feat(types): set hash to be a Record<string, any> - de4414d
• fix non-contiguous program indices - 4512766
• refactor: rename i to startPartIndex - e497a35
• security: fix security issues - 68d8df5
  • GHSA-2w6w-674q-4c4q
  • GHSA-3mfm-83xf-c92r
  • GHSA-xhpv-hc6g-r9c6
  • GHSA-xjpj-3mr7-gcpf
  • GHSA-9cx6-37pm-9jff
  • GHSA-2qvq-rjwj-gvw9
  • GHSA-7rx3-28cr-v5wh
  • GHSA-442j-39wm-28r2

Commits

v4.7.8

Compare Source

• Make library compatible with workers (#​1894) - 3d3796c
• Don't rely on Node.js global object (#​1776) - 2954e7e
• Fix compiling of each block params in strict mode (#​1855) - 30dbf04
• Fix rollup warning when importing Handlebars as ESM - 03d387b
• Fix bundler issue with webpack 5 (#​1862) - c6c6bbb
• Use https instead of git for mustache submodule - 88ac068

Commits

v4.7.7

Compare Source

• fix weird error in integration tests - eb860c0
• fix: check prototype property access in strict-mode (#​1736) - b6d3de7
• fix: escape property names in compat mode (#​1736) - f058970
• refactor: In spec tests, use expectTemplate over equals and shouldThrow (#​1683) - 77825f8
• chore: start testing on Node.js 12 and 13 - 3789a30

(POSSIBLY) BREAKING CHANGES:

• the changes from version 4.6.0 now also apply
  in when using the compile-option "strict: true". Access to prototype properties is forbidden completely by default, specific properties or methods
  can be allowed via runtime-options. See #​1633 for details. If you are using Handlebars as documented, you should not be accessing prototype properties
  from your template anyway, so the changes should not be a problem for you. Only the use of undocumented features can break your build.

That is why we only bump the patch version despite mentioning breaking changes.

Commits

v4.7.6

Compare Source

Chore/Housekeeping:

• #​1672 - Switch cmd parser to latest minimist (@​dougwilson

Compatibility notes:

• Restored Node.js compatibility

Commits

v4.7.5

Compare Source

Chore/Housekeeping:

• Node.js version support has been changed to v6+ Reverted in 4.7.6

Compatibility notes:

• Node.js < v6 is no longer supported Reverted in 4.7.6

Commits

v4.7.4

Compare Source

Chore/Housekeeping:

• #​1666 - Replaced minimist with yargs for handlebars CLI (@​aorinevo, @​AviVahl & @​fabb)

Compatibility notes:

• No incompatibilities are to be expected

Commits

v4.7.3

Compare Source

Chore/Housekeeping:

• #​1644 - Download links to aws broken on handlebarsjs.com - access denied (@​Tea56)
• Fix spelling and punctuation in changelog - d78cc73

Bugfixes:

• Add Type Definition for Handlebars.VERSION, Fixes #​1647 - 4de51fe
• Include Type Definition for runtime.js in Package - a32d05f

Compatibility notes:

• No incompatibilities are to be expected

Commits

v4.7.2

Compare Source

Bugfixes:

• fix: don't wrap helpers that are not functions - 9d5aa36, #​1639

Chore/Build:

• chore: execute saucelabs-task only if access-key exists - a4fd391

Compatibility notes:

• No breaking changes are to be expected

Commits

v4.7.1

Compare Source

Bugfixes:

• fix: fix log output in case of illegal property access - f152dfc
• fix: log error for illegal property access only once per property - 3c1e252

Compatibility notes:

• no incompatibilities are to be expected.

Commits

v4.7.0

Compare Source

Features:

• feat: default options for controlling proto access - 7af1c12, #​1635
  • This makes it possible to disable the prototype access restrictions added in 4.6.0
  • an error is logged in the console, if access to prototype properties is attempted and denied
    and no explicit configuration has taken place.

Compatibility notes:

• no compatibilities are expected

Commits

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.