CVE-2021-32820
Information Disclosure vulnerability in express-handlebars (npm)
What is CVE-2021-32820 About?
Express-handlebars, a Handlebars view engine for Express, is susceptible to an Information Disclosure vulnerability where template data and engine configuration are mixed. This flaw, specifically related to the `layout` parameter, can lead to the disclosure of files. Exploitation is possible by manipulating the `layout` parameter to include files that already possess an extension.
Affected Software
Technical Details
The vulnerability in Express-handlebars (a Handlebars view engine for Express) stems from its mixing of pure template data with engine configuration options via the Express render API. The layout parameter is particularly problematic; if an attacker can manipulate this parameter, it can trigger file disclosure vulnerabilities in downstream applications. The mechanism is that express-handlebars, when resolving template paths, handles filenames with existing extensions differently than those without. Specifically, only files that already have an extension (e.g., file.extension) can be disclosed. Files lacking an extension will have .handlebars appended to them, which may prevent disclosure. This means if an attacker specifies a layout value pointing to a sensitive file with an existing extension, express-handlebars might directly include and expose its content without proper access control.
What is the Impact of CVE-2021-32820?
Successful exploitation may allow attackers to disclose arbitrary files on the system that have existing file extensions. This can lead to unauthorized access to sensitive application configurations, source code, or other confidential information.
What is the Exploitability of CVE-2021-32820?
Exploitation of this Information Disclosure vulnerability is of moderate complexity, as it requires an attacker to control the layout parameter in a way that includes a file with an existing extension. Authentication and privilege requirements depend on whether the application endpoint using express-handlebars is protected; however, the vulnerability itself does not inherently require elevated privileges. Access could be remote if the attacker can influence the layout parameter via an HTTP request. A specific constraint is that only files with existing extensions can be disclosed; files without extensions will have .handlebars appended, likely preventing their disclosure. Risk factors are increased when express-handlebars is used in applications that allow untrusted input to control or influence the layout parameter.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-32820?
Available Upgrade Options
- express-handlebars
- <5.3.1 → Upgrade to 5.3.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/express-handlebars/express-handlebars/pull/163
- https://securitylab.github.com/advisories/GHSL-2021-018-express-handlebars/
- https://securitylab.github.com/advisories/GHSL-2021-018-express-handlebars
- https://www.npmjs.com/package/express-handlebars
- https://github.com/express-handlebars/express-handlebars#danger-
- https://github.com/express-handlebars/express-handlebars/commit/78c47a235c4ad7bc2674bddd8ec2721567ed8c72
- https://github.com/express-handlebars/express-handlebars/blob/78c47a235c4ad7bc2674bddd8ec2721567ed8c72/README.md#danger-
- https://www.npmjs.com/package/express-handlebars
- https://github.com/express-handlebars/express-handlebars/commit/78c47a235c4ad7bc2674bddd8ec2721567ed8c72
- https://github.com/express-handlebars/express-handlebars/pull/163
What are Similar Vulnerabilities to CVE-2021-32820?
Similar Vulnerabilities: CVE-2021-42007 , CVE-2022-21703 , CVE-2020-7709 , CVE-2020-7754 , CVE-2020-7768
