Handlebars CLI Precompiler JavaScript Injection Vulnerability

A vulnerability exists in the Handlebars CLI precompiler (versions 4.0.0 through 4.7.8) that allows for JavaScript injection via unescaped template filenames and command-line options. The precompiler concatenates these user-controlled strings directly into the JavaScript output, creating four injection points: template name, namespace, CommonJS path, and AMD path. An attacker can exploit this vulnerability to inject arbitrary JavaScript that executes when the generated bundle is loaded in Node.js or a browser.

Impact

Exploitation of this vulnerability allows for arbitrary JavaScript injection, which can execute in the context of the application using the Handlebars template.

Reproduction

To reproduce this vulnerability, use the Handlebars CLI precompiler with a template filename or CLI option that includes unescaped characters such as quotes or semicolons. This can be done by creating a template file with an injected script and then compiling it with the Handlebars CLI, or by using command-line options that exploit the same injection points.

Remediation

Users can upgrade to Handlebars version 4.7.9, which addresses this vulnerability. Additionally, it's recommended to validate all CLI inputs, use a trusted namespace string from a configuration file instead of command-line arguments, run the precompiler in a sandboxed environment, and audit template filenames in repositories or packages used by automated build pipelines.