Bug 2452525 (CVE-2026-33938)
| Summary: | CVE-2026-33938 handlebars: Handlebars: Arbitrary code execution via @partial-block overwrite | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | OSIDB Bzimport <bzimport> |
| Component: | vulnerability | Assignee: | Product Security DevOps Team <prodsec-dev> |
| Status: | NEW --- | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | aazores, abuckta, cmah, dhanak, dkuc, drosa, eaguilar, ebaron, gotiwari, ibek, jcantril, jgrulich, jhorak, jkoehler, jolong, jrokos, lchilton, lphiri, mnovotny, mvyas, orabin, pjindal, rhel-process-autobot, rojacob, sausingh, sdawley, sfeifer, tpopela, watson-tool-maintainers |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | --- | |
| Doc Text: |
A flaw was found in Handlebars. A remote attacker can exploit this vulnerability by manipulating the `@partial-block` special variable within the template data context. By overwriting `@partial-block` with a specially crafted Abstract Syntax Tree (AST) through a helper, a subsequent invocation of `{{> @partial-block}}` will compile and execute the malicious AST. This enables arbitrary JavaScript execution on the server, leading to potential compromise of the system.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2452602, 2452608, 2452613, 2452617, 2452651, 2452590, 2452592, 2452594, 2452621, 2452627, 2452631, 2452633, 2452636, 2452646, 2452654 | ||
| Bug Blocks: | |||
Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, the `@partial-block` special variable is stored in the template data context and is reachable and mutable from within a template via helpers that accept arbitrary objects. When a helper overwrites `@partial-block` with a crafted Handlebars AST, a subsequent invocation of `{{> @partial-block}}` compiles and executes that AST, enabling arbitrary JavaScript execution on the server. Version 4.7.9 fixes the issue. Some workarounds are available. First, use the runtime-only build (`require('handlebars/runtime')`). The `compile()` method is absent, eliminating the vulnerable fallback path. Second, audit registered helpers for any that write arbitrary values to context objects. Helpers should treat context data as read-only. Third, avoid registering helpers from third-party packages (such as `handlebars-helpers`) in contexts where templates or context data can be influenced by untrusted input.