Handlebars versions 4.3.1 and 4.3.0 are both releases of the popular templating engine designed to empower developers to construct semantic templates efficiently. Both versions share the same core dependencies, including neo-async, optimist, source-map, and uglify-js, ensuring consistent functionality for common templating tasks. Similarly, the development dependencies remain identical, featuring tools like aws-sdk, babel-loader, grunt, webpack, and various testing and linting utilities, suggesting a focus on maintaining code quality and compatibility across the development lifecycle.
The primary difference lies in the bug fixes and minor improvements incorporated in version 4.3.1. While both versions have the same functionalities the newer version includes increased stability, likely addressing reported issues or edge cases encountered in version 4.3.0. Version 4.3.1 has an increased unpacked size and a later release date, indicating included fixes. For developers, upgrading to 4.3.1 is recommended to leverage these improvements. Both versions utilize the MIT license, offering flexibility in usage and modification. The consistent "author" and "repository" fields reinforces the project's stability and maintainability under Yehuda Katz. For any developer using Handlebars, regularly updating to benefit from stability improvements and bug fixes is a must.
All the vulnerabilities related to the version 4.3.1 of the package
Regular Expression Denial of Service in Handlebars
Handlebars before 4.4.5 allows Regular Expression Denial of Service (ReDoS) because of eager matching. The parser may be forced into an endless loop while processing crafted templates. This may allow attackers to exhaust system resources.
Denial of Service in handlebars
Affected versions of handlebars are vulnerable to Denial of Service. The package's parser may be forced into an endless loop while processing specially-crafted templates. This may allow attackers to exhaust system resources leading to Denial of Service.
Upgrade to version 4.4.5 or later.
Arbitrary Code Execution in handlebars
Versions of handlebars prior to 3.0.8 or 4.5.2 are vulnerable to Arbitrary Code Execution. The package's lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript in the system. It can be used to run arbitrary code in a server processing Handlebars templates or on a victim's browser (effectively serving as Cross-Site Scripting).
The following template can be used to demonstrate the vulnerability:
{{#with split as |a|}}
{{pop (push "alert('Vulnerable Handlebars JS');")}}
{{#with (concat (lookup join (slice 0 1)))}}
{{#each (slice 2 3)}}
{{#with (apply 0 a)}}
{{.}}
{{/with}}
{{/each}}
{{/with}}
{{/with}}
{{/with}}```
## Recommendation
Upgrade to version 3.0.8, 4.5.2 or later.
Arbitrary Code Execution in Handlebars
Handlebars before 3.0.8 and 4.x before 4.5.3 is vulnerable to Arbitrary Code Execution. The lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript. This can be used to run arbitrary code on a server processing Handlebars templates or in a victim's browser (effectively serving as XSS).
Prototype Pollution in handlebars
Versions of handlebars prior to 3.0.8 or 4.5.3 are vulnerable to prototype pollution. It is possible to add or modify properties to the Object prototype through a malicious template. This may allow attackers to crash the application or execute Arbitrary Code in specific conditions.
Upgrade to version 3.0.8, 4.5.3 or later.
Arbitrary Code Execution in handlebars
Versions of handlebars prior to 3.0.8 or 4.5.3 are vulnerable to Arbitrary Code Execution. The package's lookup helper fails to properly validate templates, allowing attackers to submit templates that execute arbitrary JavaScript in the system. It is due to an incomplete fix for a previous issue. This vulnerability can be used to run arbitrary code in a server processing Handlebars templates or on a victim's browser (effectively serving as Cross-Site Scripting).
Upgrade to version 3.0.8, 4.5.3 or later.
Prototype Pollution in handlebars
The package handlebars before 4.7.7 are vulnerable to Prototype Pollution when selecting certain compiling options to compile templates coming from an untrusted source.
Remote code execution in handlebars when compiling templates
The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an untrusted source.
Prototype Pollution in minimist
Affected versions of minimist are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects.
Parsing the argument --__proto__.y=Polluted adds a y property with value Polluted to all objects. The argument --__proto__=Polluted raises and uncaught error and crashes the application.
This is exploitable if attackers have control over the arguments being passed to minimist.
Upgrade to versions 0.2.1, 1.2.3 or later.
Prototype Pollution in minimist
Minimist prior to 1.2.6 and 0.2.4 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).