Realhurrison

**Name of the Vulnerable Software and Affected Versions** Handlebars versions 4.0.0 through 4.7.8 **Description** Handlebars allows Remote Code Execution (RCE) through a crafted Abstract Syntax Tree (AST) object. The `Handlebars.compile()` function accepts either a template string or a pre-parsed AST. When an AST is supplied, the `value` field of a `NumberLiteral` AST node is emitted directly into the generated JavaScript without proper sanitization. This allows an attacker who can supply a crafted AST to `compile()` to inject and execute arbitrary JavaScript code on the server. The vulnerable code path resides in `lib/handlebars/compiler/javascript-compiler.js`, where `NumberLiteral` values are appended to the generated code without escaping. Any endpoint that deserializes user-controlled JSON and passes the result directly to `Handlebars.compile()` is potentially exploitable. An attacker can leverage this to execute commands on the server, as demonstrated by a proof of concept that uses `process.getBuiltinModule('child process').execFileSync('id')` to execute the 'id' command. **Recommendations** Handlebars versions prior to 4.7.9 are affected. Validate input type before calling `Handlebars.compile()`: ensure the argument is always a `string`, never a plain object or JSON-deserialized value. Use the Handlebars runtime-only build (`handlebars/runtime`) on the server if templates are pre-compiled at build time; `compile()` will be unavailable.