RubySec

Providing security resources for the Ruby community

CVE-2021-23369 (handlebars-source): Remote code execution in handlebars when compiling templates

ADVISORIES

GEM

handlebars-source

SEVERITY

CVSS v3.x: 9.8 (Critical)

PATCHED VERSIONS

  • >= 4.7.7

DESCRIPTION

The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an untrusted source. This vulnerability has been assigned the CVE identifier CVE-2021-23369.