Versions of handlebars prior to 4.3.0 are vulnerable to Prototype Pollution leading to Remote Code Execution. Templates may alter an Object's __proto__ and __defineGetter__ properties, which may allow an attacker to execute arbitrary code through crafted payloads.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| handlebars(npm) | 4.0.0 | 4.3.0 | N/A |
| bootstrap-wysihtml5-rails(RubyGems) | 0.3.3.5 | N/A | N/A |
| handlebars(npm) | 0 | 3.0.8 | N/A |
CVSS Metrics
