Handlebars Remote Code Execution Vulnerability via AST Injection

A critical vulnerability allowing remote code execution has been identified in Handlebars versions 4.0.0 through 4.7.8. The issue arises because `Handlebars.compile()` can accept a pre-parsed Abstract Syntax Tree (AST) object, and the `value` field of a `NumberLiteral` AST node is emitted directly into the generated JavaScript without proper quoting or sanitization. This flaw enables an attacker to inject and execute arbitrary JavaScript on the server by supplying a crafted AST. The vulnerability can be exploited in any environment that deserializes user-controlled JSON and passes it to `Handlebars.compile()` without validation.

Impact

Exploitation of this vulnerability allows for arbitrary JavaScript execution on the server, leading to remote code execution.

Reproduction

To reproduce this vulnerability, send a POST request to an endpoint that uses Handlebars for template rendering. The request body must include a JSON object that represents a `NumberLiteral` AST node, with the `value` field containing unquoted JavaScript code, such as a command injection payload. When the server processes this request, the injected code will be executed, demonstrating the vulnerability.

Remediation

Users can upgrade to Handlebars version 4.7.9, which addresses this vulnerability by adding input validation for AST nodes. If templates are pre-compiled, use the Handlebars runtime-only build (`handlebars/runtime`) on the server.