Security Vulnerability Report
Summary
- Package:
handlebars
- Affected Version:
4.7.8 (current)
- Fixed Version:
4.7.9
- Severity: CRITICAL
- GHSA: GHSA-2w6w-674q-4c4q
- CVSS Score: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Vulnerability Details
handlebars@4.7.8 contains multiple vulnerabilities (all fixed in 4.7.9):
| GHSA |
Severity |
CVSS |
Title |
| GHSA-2w6w-674q-4c4q |
CRITICAL |
9.8 |
JavaScript Injection via AST Type Confusion |
| GHSA-xjpj-3mr7-gcpf |
HIGH |
8.3 |
JavaScript Injection in CLI Precompiler via Unescaped Names and Options |
| GHSA-xhpv-hc6g-r9c6 |
HIGH |
8.1 |
JavaScript Injection via AST Type Confusion (object as dynamic partial) |
| GHSA-3mfm-83xf-c92r |
HIGH |
8.1 |
JavaScript Injection via tampering @partial-block |
| GHSA-9cx6-37pm-9jff |
HIGH |
7.5 |
Denial of Service via Malformed Decorator Syntax in Template Compilation |
| GHSA-2qvq-rjwj-gvw9 |
MODERATE |
4.7 |
Prototype Pollution Leading to XSS through Partial Template Injection |
The most severe issue (CVSS 9.8) allows JavaScript injection via AST type confusion. An attacker who can control template input can execute arbitrary JavaScript code through type confusion in the Handlebars AST processor.
Dependency Chain
gh-aw-firewall (dev)
└── ts-jest@^29.4.6
└── handlebars@^4.7.8 ← vulnerable (4.7.8 installed, 4.7.9 fixes all issues)
This is a devDependency used only in the test pipeline (ts-jest), so it does not affect the firewall runtime or production behavior. However, a compromised test pipeline could still impact developer machines and CI environments.
Impact on gh-aw-firewall
Since handlebars is pulled in only as a transitive dev dependency through ts-jest, the attack surface is limited to:
- Developer workstations running
npm test
- CI/CD build runners executing the test suite
Runtime firewall behavior is not affected. Nevertheless, as a security-critical project, the test toolchain should also maintain a clean vulnerability profile.
Remediation Steps
- Recommended Fix:
npm audit fix upgrades handlebars to 4.7.9 (patch update, no breaking changes)
- Command:
npm audit fix
- This is being tracked in a companion dependency update PR.
Testing Required
References
Detection Details
- Detected by: Dependency Security Monitor Workflow
- Detection Time: 2026-03-28T00:53:03Z
- Source:
npm audit
Generated by Dependency Security Monitor · ◷
Security Vulnerability Report
Summary
handlebars4.7.8(current)4.7.9Vulnerability Details
handlebars@4.7.8contains multiple vulnerabilities (all fixed in 4.7.9):@partial-blockThe most severe issue (CVSS 9.8) allows JavaScript injection via AST type confusion. An attacker who can control template input can execute arbitrary JavaScript code through type confusion in the Handlebars AST processor.
Dependency Chain
This is a devDependency used only in the test pipeline (ts-jest), so it does not affect the firewall runtime or production behavior. However, a compromised test pipeline could still impact developer machines and CI environments.
Impact on gh-aw-firewall
Since
handlebarsis pulled in only as a transitive dev dependency throughts-jest, the attack surface is limited to:npm testRuntime firewall behavior is not affected. Nevertheless, as a security-critical project, the test toolchain should also maintain a clean vulnerability profile.
Remediation Steps
npm audit fixupgradeshandlebarsto4.7.9(patch update, no breaking changes)npm audit fixTesting Required
npm testReferences
Detection Details
npm audit