{ "schema_version": "1.4.0", "id": "GHSA-q42p-pg8m-cqh6", "modified": "2021-08-04T20:54:05Z", "published": "2019-06-05T14:07:48Z", "aliases": [], "summary": "Prototype Pollution in handlebars", "details": "Versions of `handlebars` prior to 4.0.14 are vulnerable to Prototype Pollution. Templates may alter an Objects' prototype, thus allowing an attacker to execute arbitrary code on the server.\n\n\n## Recommendation\n\nFor handlebars 4.1.x upgrade to 4.1.2 or later.\nFor handlebars 4.0.x upgrade to 4.0.14 or later.", "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" } ], "affected": [ { "package": { "ecosystem": "npm", "name": "handlebars" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "4.1.0" }, { "fixed": "4.1.2" } ] } ] }, { "package": { "ecosystem": "npm", "name": "handlebars" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "4.0.0" }, { "fixed": "4.0.14" } ] } ] }, { "package": { "ecosystem": "npm", "name": "handlebars" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "3.0.7" } ] } ] } ], "references": [ { "type": "WEB", "url": "https://github.com/handlebars-lang/handlebars.js/issues/1495" }, { "type": "WEB", "url": "https://github.com/handlebars-lang/handlebars.js/commit/0d6d8c335ad81bad1b672fc56b6a44f6aa472dac" }, { "type": "WEB", "url": "https://github.com/handlebars-lang/handlebars.js/commit/7372d4e9dffc9d70c09671aa28b9392a1577fd86" }, { "type": "WEB", "url": "https://github.com/handlebars-lang/handlebars.js/commit/85c8783b34fc6d36145d8b53885ad0b9e3c3f9c4" }, { "type": "WEB", "url": "https://github.com/handlebars-lang/handlebars.js/commit/cd38583216dce3252831916323202749431c773e" }, { "type": "WEB", "url": "https://snyk.io/vuln/SNYK-JS-HANDLEBARS-173692" }, { "type": "WEB", "url": "https://www.npmjs.com/advisories/755" } ], "database_specific": { "cwe_ids": [ "CWE-471" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2019-06-05T13:55:39Z", "nvd_published_at": null } }