Handlebars Runtime and Precompiler JavaScript Injection Vulnerability via @partial-block

A vulnerability in Handlebars versions 4.0.0 through 4.7.8 allows for arbitrary JavaScript execution on the server. The issue arises because the @partial-block variable can be overwritten with a crafted Handlebars Abstract Syntax Tree (AST) using registered helpers that accept object references. When the modified @partial-block is invoked as a partial, the injected code is executed. This vulnerability can be exploited by manipulating the template data context to introduce malicious payloads that exploit the AST handling in the Handlebars runtime.

Impact

Exploitation of this vulnerability allows for remote code execution on the server where Handlebars is used.

Reproduction

To reproduce this vulnerability, use Handlebars version 4.7.8 and register a helper that can write to the context, such as the 'merge' helper from the 'handlebars-helpers' package. Create a template that uses the @partial-block variable and overwrite it with a crafted AST that includes JavaScript code. When the template is compiled and executed, the injected code will run on the server.

Remediation

Update Handlebars to version 4.7.9 or later, and avoid using third-party helpers that can manipulate the context in untrusted templates.