CVE-2021-23369

CRITICAL9.8EPSS 3.6%

Remote code execution in handlebars when compiling templates

Published: 5/6/2021Modified: 2/4/2026

Also known as:GHSA-f2jv-r9rf-7988CGA-36j8-6jmc-8fccDEBIAN-CVE-2021-23369

Description

The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an untrusted source.

Affected packages (5)

Debian/node-handlebarsfrom 0, < 3:4.7.6+~4.1.0-2
Maven/org.webjars.bowergithub.wycats:handlebars.jsfrom 0, < 4.7.7
Maven/org.webjars:handlebarsfrom 0, < 4.7.7
Maven/org.webjars.npm:handlebarsfrom 0, < 4.7.7
npm/handlebarsfrom 0, < 4.7.7

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (10)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2021-23369
ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2021-23369
PATCHhttps://github.com/wycats/handlebars.js
WEBhttps://github.com/handlebars-lang/handlebars.js/commit/b6d3de7123eebba603e321f04afdbae608e8fea8
WEBhttps://github.com/handlebars-lang/handlebars.js/commit/f0589701698268578199be25285b2ebea1c1e427
WEBhttps://security.netapp.com/advisory/ntap-20210604-0008
WEBhttps://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074950
WEBhttps://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074951
WEBhttps://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074952
WEBhttps://snyk.io/vuln/SNYK-JS-HANDLEBARS-1056767