Miggo Logo
Miggo Vulnerability Database
CVE-2021-23369

CVE-2021-23369:
Remote code execution in handlebars when compiling templates

9.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2021-23369
GHSA ID
GHSA-f2jv-r9rf-7988
EPSS Score
0.88393%
CWE
CWE-94
Published
5/6/2021
Updated
11/29/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
handlebarsnpm< 4.7.74.7.7
org.webjars:handlebarsmaven< 4.7.74.7.7
org.webjars.npm:handlebarsmaven< 4.7.74.7.7
org.webjars.bowergithub.wycats:handlebars.jsmaven< 4.7.74.7.7

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from two key issues: 1) Insecure property access in template runtime that allowed prototype pollution via direct obj[name] access, and 2) Unsafe code generation in the compiler that didn't properly escape property names. The fixes in commits b6d3de7 and f058970 address these by introducing container.lookupProperty (which checks own properties) and JSON.stringify escaping respectively. The Snyk PoC demonstrates exploitation through prototype manipulation in strict mode, which would leverage these vulnerable code paths.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** p**k*** **n*l***rs ***or* *.*.* *r* vuln*r**l* to R*mot* *o** *x**ution (R**) w**n s*l**tin* **rt*in *ompilin* options to *ompil* t*mpl*t*s *omin* *rom *n untrust** sour**.

Reasoning

T** vuln*r**ility st*ms *rom two k*y issu*s: *) Ins**ur* prop*rty ****ss in t*mpl*t* runtim* t**t *llow** prototyp* pollution vi* *ir**t o*j[n*m*] ****ss, *n* *) Uns*** *o** **n*r*tion in t** *ompil*r t**t *i*n't prop*rly *s**p* prop*rty n*m*s. T** *