CVE-2026-33916
Prototype Pollution Enables Reflected XSS in Handlebars Runtime
Publication date: 2026-03-27
Last updated on: 2026-03-31
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| handlebarsjs | handlebars | From 4.0.0 (inc) to 4.7.9 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-1321 | The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Handlebars.js npm package versions 4.0.0 through 4.7.8, specifically in the `resolvePartial()` function of the Handlebars runtime. The function resolves partial template names by directly looking up properties on `options.partials` without checking if those properties belong directly to the object. If an attacker manages to pollute `Object.prototype` with a string value keyed by a partial name used in a template, this malicious string is used as the partial content and rendered without HTML escaping.
As a result, this allows reflected or stored Cross-Site Scripting (XSS) attacks, where malicious scripts can be injected and executed in the context of the victim's browser. The vulnerability arises because the polluted prototype property is used unescaped in the output, violating the intended security model.
How can this vulnerability impact me? :
If your application uses a vulnerable version of Handlebars.js and is susceptible to prototype pollution, an attacker can inject malicious scripts into your web pages via template partials. This can lead to Cross-Site Scripting (XSS) attacks, which may allow attackers to execute arbitrary JavaScript in users' browsers.
- Stealing sensitive user information such as cookies or session tokens.
- Performing actions on behalf of the user without their consent.
- Defacing the website or injecting misleading content.
The attack requires the attacker to be able to pollute the prototype and know or guess the partial name used in templates. The vulnerability has a moderate severity with a CVSS score of 4.7, indicating a network attack vector with high complexity and requiring user interaction.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability arises when the Handlebars runtime resolves partial names via a plain property lookup on options.partials without guarding against prototype-chain traversal. Detection involves checking if your application uses vulnerable Handlebars versions (4.0.0 through 4.7.8) and if Object.prototype has been polluted with string values matching partial names.
Since the vulnerability depends on prototype pollution and template partial references, detection can include:
- Inspecting your application's dependencies and versions to confirm if Handlebars is between 4.0.0 and 4.7.8.
- Checking for prototype pollution by examining Object.prototype for unexpected string properties that match partial names.
- Monitoring application logs or runtime warnings for prototype-access warnings emitted by the Handlebars runtime.
Specific commands are not provided in the resources, but you can use JavaScript debugging or inspection commands such as:
- In a Node.js environment, run `console.log(Object.prototype)` to check for unexpected properties.
- Use dependency check tools like `npm ls handlebars` to verify the installed Handlebars version.
- Review application templates for partial references and correlate with any suspicious Object.prototype properties.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading Handlebars to version 4.7.9 or later, where the vulnerability is fixed.
If upgrading is not immediately possible, the following workarounds can reduce the risk:
- Apply `Object.freeze(Object.prototype)` early during application startup to prevent prototype pollution. Note that this may break other libraries.
- Use the Handlebars runtime-only build (`handlebars/runtime`), which does not compile templates and reduces the attack surface.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in Handlebars.js allows for reflected or stored Cross-Site Scripting (XSS) attacks due to prototype pollution and improper escaping of partial template content.
Such XSS vulnerabilities can lead to unauthorized access to sensitive user data or session tokens, potentially resulting in data breaches.
Data breaches caused by exploitation of this vulnerability could impact compliance with regulations like GDPR and HIPAA, which require protection of personal and health information.
Therefore, if exploited, this vulnerability may cause an organization to fail in meeting confidentiality and integrity requirements mandated by these standards.