Handlebars.js Denial-of-Service Vulnerability via Unregistered Decorator References

A denial-of-service vulnerability has been identified in Handlebars.js versions 4.0.0 through 4.7.8. The issue arises when a template uses decorator syntax to reference a decorator that has not been registered. The compiled template attempts to look up the decorator, finds it undefined, and then tries to invoke it as a function. This results in an unhandled TypeError that crashes the Node.js process. Applications that compile user-generated templates without proper error handling are susceptible to this vulnerability, allowing a single request to disrupt service.

Impact

Exploitation of this vulnerability leads to an unhandled TypeError, causing the Node.js process to crash. This disruption can be persistent if the application is managed by a process supervisor that automatically restarts the service, such as PM2 or systemd.

Reproduction

To reproduce this vulnerability, compile a Handlebars template that includes unregistered decorator references, such as '{{*n}}', using a version of Handlebars.js prior to the patch. The compilation will throw a TypeError, crashing the Node.js process.

Remediation

Users can upgrade to Handlebars.js version 4.7.9 or later, where this vulnerability has been fixed. Additionally, templates can be validated before compilation to ensure they do not contain unregistered decorators, and the compilation process can be wrapped in a try-catch block to handle potential errors gracefully.