5.4

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-32817

GHSA ID

GHSA-rwxp-hwwf-653v

EPSS Score

0.6403%

CWE

CWE-94

Published

5/17/2021

Updated

4/4/2023

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2021-32817

CVE-2021-32817:
Insecure template handling in express-hbs

express-hbs is an Express handlebars template engine. express-hbs mixes pure template data with engine configuration options through the Express render API. More specifically, the layout parameter may trigger file disclosure vulnerabilities in downstream applications. This potential vulnerability is somewhat restricted in that only files with existing extentions (i.e. file.extension) can be included, files that lack an extension will have .hbs appended to them. For complete details refer to the referenced GHSL-2021-019 report. Notes in documentation have been added to help users of express-hbs avoid this potential information exposure vulnerability.

(GitHub Advisory)

5.4

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-32817

GHSA ID

GHSA-rwxp-hwwf-653v

EPSS Score

0.6403%

CWE

CWE-94

Published

5/17/2021

Updated

4/4/2023

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
express-hbs	npm	<= 2.4.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from express-hbs's handling of the 'layout' parameter in the Express render API. When applications pass user-controlled data (e.g., req.query) to res.render, attackers can inject a 'layout' value pointing to arbitrary files. The engine resolves this parameter to read files from disk (with existing extensions) or appends .hbs to extensionless paths. The commit diff and advisory explicitly warn about this pattern, and the CWE-200/CWE-94 mappings confirm improper input validation and information exposure. While the exact internal function name isn't visible in provided data, the core issue manifests in the layout handling logic during rendering.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*xpr*ss-**s is *n *xpr*ss **n*l***rs t*mpl*t* *n*in*. *xpr*ss-**s mix*s pur* t*mpl*t* **t* wit* *n*in* *on*i*ur*tion options t*rou** t** *xpr*ss r*n**r *PI. Mor* sp**i*i**lly, t** l*yout p*r*m*t*r m*y tri***r *il* *is*losur* vuln*r**iliti*s in *ownst

Reasoning

T** vuln*r**ility st*ms *rom *xpr*ss-**s's **n*lin* o* t** 'l*yout' p*r*m*t*r in t** *xpr*ss r*n**r *PI. W**n *ppli**tions p*ss us*r-*ontroll** **t* (*.*., `r*q.qu*ry`) to `r*s.r*n**r`, *tt**k*rs **n inj**t * 'l*yout' v*lu* pointin* to *r*itr*ry *il*

5.4

Basic Information

Concerned about an active attack path?

CVE-2021-32817: Insecure template handling in express-hbs

5.4

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2021-32817:
Insecure template handling in express-hbs

Vulnerability Intelligence
Miggo AI