CVE-2026-33916

Description

## Summary `resolvePartial()` in the Handlebars runtime resolves partial names via a plain property lookup on `options.partials` without guarding against prototype-chain traversal. When `Object.prototype` has been polluted with a string value whose key matches a partial reference in a template, the polluted string is used as the partial body and rendered **without HTML escaping**, resulting in reflected or stored XSS. ## Description The root cause is in `lib/handlebars/runtime.js` inside `resolvePartial()` and `invokePartial()`: ```javascript // Vulnerable: plain bracket access traverses Object.prototype partial = options.partials[options.name]; ``` `hasOwnProperty` is never checked, so if `Object.prototype` has been seeded with a key whose name matches a partial reference in the template (e.g. `widget`), the lookup succeeds and the polluted string is returned. The runtime emits a prototype-access warning, but the partial is still resolved and its content is inserted into the rendered output unescaped. This contradicts the documented security model and is distinct from CVE-2021-23369 and CVE-2021-23383, which addressed data property access rather than partial template resolution. **Prerequisites for exploitation:** 1. The target application must be vulnerable to prototype pollution (e.g. via `qs`, `minimist`, or any querystring/JSON merge sink). 2. The attacker must know or guess the name of a partial reference used in a template. ## Proof of Concept ```javascript const Handlebars = require('handlebars'); // Step 1: Prototype pollution (via qs, minimist, or another vector) Object.prototype.widget = '<img src=x onerror="alert(document.domain)">'; // Step 2: Normal template that references a partial const template = Handlebars.compile('<div>Welcome! {{> widget}}</div>'); // Step 3: Render - XSS payload injected unescaped const output = template({}); // Output: <div>Welcome! <img src=x onerror="alert(document.domain)"></div> ``` > The runtime prints a prototype access warning claiming "access has been denied," but the partial still resolves and returns the polluted value. ## Workarounds - Apply `Object.freeze(Object.prototype)` early in application startup to prevent prototype pollution. Note: this may break other libraries. - Use the Handlebars runtime-only build (`handlebars/runtime`), which does not compile templates and reduces the attack surface.

Priority Score