Evanj2357

**Name of the Vulnerable Software and Affected Versions** Handlebars versions 4.0.0 through 4.7.8 **Description** Handlebars allows users to build semantic templates. A flaw exists where the `@partial-block` special variable is stored in the template data context and is mutable from within a template via helpers that accept arbitrary objects. If a helper overwrites `@partial-block` with a crafted Handlebars Abstract Syntax Tree (AST), a subsequent invocation of `{{> @partial-block}}` compiles and executes that AST, potentially enabling arbitrary JavaScript execution on the server. The `handlebars-helpers` npm package includes helpers that can be used to overwrite the `@partial-block` variable. The vulnerability occurs because the data frame is a mutable object, allowing attackers to control the value of `@partial-block`. When `{{> @partial-block}}` is evaluated, the runtime dynamically compiles the value, and if it's a well-formed Handlebars AST containing injected code, the injected JavaScript runs in the server process. **Recommendations** Use the runtime-only build (`require('handlebars/runtime')`). Audit registered helpers for any that write arbitrary values to context objects. Avoid registering helpers from third-party packages in contexts where templates or context data can be influenced by untrusted input.

**Name of the Vulnerable Software and Affected Versions** Handlebars versions 4.0.0 through 4.7.8 **Description** Handlebars allows users to build semantic templates. A crafted object placed in the template context can bypass conditional guards in the `resolvePartial()` function, causing `invokePartial()` to return `undefined`. The Handlebars runtime then treats the unresolved partial as a source for compilation, passing the crafted object to `env.compile()`. Because the object is a valid Handlebars AST containing injected code, the generated JavaScript executes arbitrary commands on the server. The attack requires control over a value returned by a dynamic partial lookup. The vulnerable code path spans two functions: `resolvePartial()` and `invokePartial()`. The `resolvePartial()` function returns the crafted object itself, and `invokePartial()` then calls `env.compile()` with the crafted AST object. This enables Remote Code Execution in server-side rendering scenarios where templates process user-supplied context data. A proof of concept demonstrates the exploitation using a crafted object with `call: true` to bypass the primary branch condition in `resolvePartial()`. **Recommendations** Use the runtime-only build (`require('handlebars/runtime')`). Sanitize context data before rendering to ensure no non-primitive object is passed to a dynamic partial. Avoid dynamic partial lookups (`{{> (lookup ...)}}`) when context data is user-controlled.