{"id":"CVE-2021-23369","details":"The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when selecting certain compiling options to compile templates coming from an untrusted source.","aliases":["GHSA-f2jv-r9rf-7988"],"modified":"2026-04-10T04:30:23.211590Z","published":"2021-04-12T14:15:14.383Z","related":["CGA-36j8-6jmc-8fcc","SNYK-JAVA-ORGWEBJARS-1074950","SNYK-JAVA-ORGWEBJARSBOWER-1074951","SNYK-JAVA-ORGWEBJARSNPM-1074952","SNYK-JS-HANDLEBARS-1056767"],"references":[{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20210604-0008/"},{"type":"FIX","url":"https://github.com/handlebars-lang/handlebars.js/commit/b6d3de7123eebba603e321f04afdbae608e8fea8"},{"type":"FIX","url":"https://github.com/handlebars-lang/handlebars.js/commit/f0589701698268578199be25285b2ebea1c1e427"},{"type":"EVIDENCE","url":"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074950"},{"type":"EVIDENCE","url":"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074951"},{"type":"EVIDENCE","url":"https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074952"},{"type":"EVIDENCE","url":"https://snyk.io/vuln/SNYK-JS-HANDLEBARS-1056767"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/handlebars-lang/handlebars.js","events":[{"introduced":"0"},{"fixed":"a9a8e403213583ca90cb7c872d3a22796c37d961"},{"fixed":"b6d3de7123eebba603e321f04afdbae608e8fea8"},{"fixed":"f0589701698268578199be25285b2ebea1c1e427"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"4.7.7"}]}}],"versions":["0.9.0.pre.4","1.0.0","1.0.0-rc.3","1.0.0-rc.4","1.0.0.beta.1","1.0.rc.2","v1.0.10","v1.0.11","v1.0.12","v1.0.6","v1.0.6-2","v1.0.6beta","v1.0.8","v1.0.9","v1.1.0","v1.1.1","v1.1.2","v1.2.0","v1.2.1","v1.3.0","v2.0.0","v2.0.0-alpha.1","v2.0.0-alpha.2","v2.0.0-alpha.3","v2.0.0-alpha.4","v2.0.0-beta.1","v3.0.0","v3.0.1","v3.0.2","v3.0.3","v4.0.0","v4.0.1","v4.0.10","v4.0.11","v4.0.12","v4.0.2","v4.0.3","v4.0.4","v4.0.5","v4.0.6","v4.0.7","v4.0.8","v4.0.9","v4.1.1","v4.1.2","v4.1.2-0","v4.2.0","v4.2.1","v4.3.0","v4.3.1","v4.3.2","v4.3.3","v4.3.4","v4.4.0","v4.4.1","v4.4.2","v4.4.3","v4.5.0","v4.5.1","v4.5.2","v4.5.3","v4.6.0","v4.7.0","v4.7.1","v4.7.2","v4.7.3","v4.7.4","v4.7.5","v4.7.6"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-23369.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}