CVE-2021-23383
Prototype Pollution vulnerability in handlebars
What is CVE-2021-23383 About?
The 'handlebars' package before 4.7.7 is vulnerable to Prototype Pollution when compiling templates from untrusted sources with certain options. This allows an attacker to inject arbitrary properties into object prototypes. Exploitation can be complex, depending on how templates are processed and what compile options are enabled.
Affected Software
Technical Details
This vulnerability in the 'handlebars' package arises from Prototype Pollution. When compiling templates from untrusted sources, particularly with specific compilation options, an attacker can craft template input that modifies the `Object.prototype`. This allows the attacker to inject arbitrary properties into all JavaScript objects, potentially altering application logic, bypassing security checks, or causing denial of service conditions by overwriting critical properties.
What is the Impact of CVE-2021-23383?
Successful exploitation may allow attackers to inject arbitrary properties into object prototypes, potentially leading to arbitrary code execution, privilege escalation, or denial of service.
What is the Exploitability of CVE-2021-23383?
Exploitation of this Prototype Pollution vulnerability typically requires an attacker to provide malicious template code to an application using 'handlebars'. The complexity is moderate, as it requires specific compile options to be enabled when processing untrusted templates. Authentication requirements would depend on whether untrusted template compilation is accessible to unauthenticated users. Privilege requirements are generally those of the application itself. This is typically a remote vulnerability, where an attacker supplies the malicious template via an accessible input vector. The risk is significantly increased in applications that allow users to submit or influence template content that is then compiled and rendered.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| dn9uy3n | Link | Check the conditions for exploiting CVE-2021-23383 through the handlebars library version assessment. |
| fazilbaig1 | Link | The package handlebars before 4.7.7 are vulnerable to Prototype Pollution when selecting certain compiling options to compile templates coming from an untrusted source. |
What are the Available Fixes for CVE-2021-23383?
About the Fix from Resolved Security
This patch modifies how template variables are handled by passing property names through JSON.stringify before looking them up, ensuring special characters and escape sequences are properly encoded. This prevents prototype pollution and arbitrary property access vulnerabilities present in CVE-2021-23383, where unescaped user input could lead to bypassing object property restrictions.
Available Upgrade Options
- handlebars
- <4.7.7 → Upgrade to 4.7.7
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/handlebars-source/CVE-2021-23383.yml
- https://snyk.io/vuln/SNYK-JS-HANDLEBARS-1279029
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1279031
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1279031
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1279032
- https://github.com/handlebars-lang/handlebars.js
- https://security.netapp.com/advisory/ntap-20210618-0007/
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1279032
- https://osv.dev/vulnerability/GHSA-765h-qjxv-5f44
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1279030
What are Similar Vulnerabilities to CVE-2021-23383?
Similar Vulnerabilities: CVE-2020-15256 , CVE-2021-23434 , CVE-2020-28283 , CVE-2020-28281 , CVE-2019-10744
