Your message dated Sun, 29 Mar 2026 11:21:21 +0000
with message-id <[email protected]>
and subject line Bug#1132141: fixed in node-handlebars 3:4.7.9-1
has caused the Debian Bug report #1132141,
regarding node-handlebars: CVE-2026-33916 CVE-2026-33937 CVE-2026-33938
CVE-2026-33939 CVE-2026-33940 CVE-2026-33941
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1132141: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132141
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: node-handlebars
Version: 3:4.7.7+~4.1.0-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerabilities were published for node-handlebars.
CVE-2026-33916[0]:
| Handlebars provides the power necessary to let users build semantic
| templates. In versions 4.0.0 through 4.7.8, `resolvePartial()` in
| the Handlebars runtime resolves partial names via a plain property
| lookup on `options.partials` without guarding against prototype-
| chain traversal. When `Object.prototype` has been polluted with a
| string value whose key matches a partial reference in a template,
| the polluted string is used as the partial body and rendered without
| HTML escaping, resulting in reflected or stored XSS. Version 4.7.9
| fixes the issue. Some workarounds are available. Apply
| `Object.freeze(Object.prototype)` early in application startup to
| prevent prototype pollution. Note: this may break other libraries,
| and/or use the Handlebars runtime-only build (`handlebars/runtime`),
| which does not compile templates and reduces the attack surface.
CVE-2026-33937[1]:
| Handlebars provides the power necessary to let users build semantic
| templates. In versions 4.0.0 through 4.7.8, `Handlebars.compile()`
| accepts a pre-parsed AST object in addition to a template string.
| The `value` field of a `NumberLiteral` AST node is emitted directly
| into the generated JavaScript without quoting or sanitization. An
| attacker who can supply a crafted AST to `compile()` can therefore
| inject and execute arbitrary JavaScript, leading to Remote Code
| Execution on the server. Version 4.7.9 fixes the issue. Some
| workarounds are available. Validate input type before calling
| `Handlebars.compile()`; ensure the argument is always a `string`,
| never a plain object or JSON-deserialized value. Use the Handlebars
| runtime-only build (`handlebars/runtime`) on the server if templates
| are pre-compiled at build time; `compile()` will be unavailable.
CVE-2026-33938[2]:
| Handlebars provides the power necessary to let users build semantic
| templates. In versions 4.0.0 through 4.7.8, the `@partial-block`
| special variable is stored in the template data context and is
| reachable and mutable from within a template via helpers that accept
| arbitrary objects. When a helper overwrites `@partial-block` with a
| crafted Handlebars AST, a subsequent invocation of `{{> @partial-
| block}}` compiles and executes that AST, enabling arbitrary
| JavaScript execution on the server. Version 4.7.9 fixes the issue.
| Some workarounds are available. First, use the runtime-only build
| (`require('handlebars/runtime')`). The `compile()` method is
| absent, eliminating the vulnerable fallback path. Second, audit
| registered helpers for any that write arbitrary values to context
| objects. Helpers should treat context data as read-only. Third,
| avoid registering helpers from third-party packages (such as
| `handlebars-helpers`) in contexts where templates or context data
| can be influenced by untrusted input.
CVE-2026-33939[3]:
| Handlebars provides the power necessary to let users build semantic
| templates. In versions 4.0.0 through 4.7.8, when a Handlebars
| template contains decorator syntax referencing an unregistered
| decorator (e.g. `{{*n}}`), the compiled template calls
| `lookupProperty(decorators, "n")`, which returns `undefined`. The
| runtime then immediately invokes the result as a function, causing
| an unhandled `TypeError: ... is not a function` that crashes the
| Node.js process. Any application that compiles user-supplied
| templates without wrapping the call in a `try/catch` is vulnerable
| to a single-request Denial of Service. Version 4.7.9 fixes the
| issue. Some workarounds are available. Wrap compilation and
| rendering in `try/catch`. Validate template input before passing it
| to `compile()`; reject templates containing decorator syntax
| (`{{*...}}`) if decorators are not used in your application. Use the
| pre-compilation workflow; compile templates at build time and serve
| only pre-compiled templates; do not call `compile()` at request
| time.
CVE-2026-33940[4]:
| Handlebars provides the power necessary to let users build semantic
| templates. In versions 4.0.0 through 4.7.8, a crafted object placed
| in the template context can bypass all conditional guards in
| `resolvePartial()` and cause `invokePartial()` to return
| `undefined`. The Handlebars runtime then treats the unresolved
| partial as a source that needs to be compiled, passing the crafted
| object to `env.compile()`. Because the object is a valid Handlebars
| AST containing injected code, the generated JavaScript executes
| arbitrary commands on the server. The attack requires the adversary
| to control a value that can be returned by a dynamic partial lookup.
| Version 4.7.9 fixes the issue. Some workarounds are available.
| First, use the runtime-only build (`require('handlebars/runtime')`).
| Without `compile()`, the fallback compilation path in
| `invokePartial` is unreachable. Second, sanitize context data before
| rendering: Ensure no value in the context is a non-primitive object
| that could be passed to a dynamic partial. Third, avoid dynamic
| partial lookups (`{{> (lookup ...)}}`) when context data is user-
| controlled.
CVE-2026-33941[5]:
| Handlebars provides the power necessary to let users build semantic
| templates. In versions 4.0.0 through 4.7.8, the Handlebars CLI
| precompiler (`bin/handlebars` / `lib/precompiler.js`) concatenates
| user-controlled strings — template file names and several CLI
| options — directly into the JavaScript it emits, without any
| escaping or sanitization. An attacker who can influence template
| filenames or CLI arguments can inject arbitrary JavaScript that
| executes when the generated bundle is loaded in Node.js or a
| browser. Version 4.7.9 fixes the issue. Some workarounds are
| available. First, validate all CLI inputs before invoking the
| precompiler. Reject filenames and option values that contain
| characters with JavaScript string-escaping significance (`"`, `'`,
| `;`, etc.). Second, use a fixed, trusted namespace string passed via
| a configuration file rather than command-line arguments in
| automated pipelines. Third, run the precompiler in a sandboxed
| environment (container with no write access to sensitive paths) to
| limit the impact of successful exploitation. Fourth, audit template
| filenames in any repository or package that is consumed by an
| automated build pipeline.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-33916
https://www.cve.org/CVERecord?id=CVE-2026-33916
[1] https://security-tracker.debian.org/tracker/CVE-2026-33937
https://www.cve.org/CVERecord?id=CVE-2026-33937
[2] https://security-tracker.debian.org/tracker/CVE-2026-33938
https://www.cve.org/CVERecord?id=CVE-2026-33938
[3] https://security-tracker.debian.org/tracker/CVE-2026-33939
https://www.cve.org/CVERecord?id=CVE-2026-33939
[4] https://security-tracker.debian.org/tracker/CVE-2026-33940
https://www.cve.org/CVERecord?id=CVE-2026-33940
[5] https://security-tracker.debian.org/tracker/CVE-2026-33941
https://www.cve.org/CVERecord?id=CVE-2026-33941
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: node-handlebars
Source-Version: 3:4.7.9-1
Done: Xavier Guimard <[email protected]>
We believe that the bug you reported is fixed in the latest version of
node-handlebars, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Xavier Guimard <[email protected]> (supplier of updated node-handlebars package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 29 Mar 2026 12:55:47 +0200
Source: node-handlebars
Architecture: source
Version: 3:4.7.9-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Javascript Maintainers
<[email protected]>
Changed-By: Xavier Guimard <[email protected]>
Closes: 1132141
Changes:
node-handlebars (3:4.7.9-1) unstable; urgency=medium
.
* New upstream version 4.7.9 (Closes: #1132141)
Fixes: CVE-2026-33916 CVE-2026-33937 CVE-2026-33938
CVE-2026-33939 CVE-2026-33940 CVE-2026-33941
* Drop embedded @types/handlebars (included upstream now)
* Refresh patches, drop disable-bg-shell-plugin.patch (applied upstream)
* Remove amd task from build (requirejs not available)
* Fix debian/watch: use handlebars-lang org, add STABLE_VERSION filter
* debian/watch version 5
* Declare compliance with policy 4.7.3
Checksums-Sha1:
c818c79741adc3f66b03e49b769c6bd0286f712a 2691 node-handlebars_4.7.9-1.dsc
8b30a6d8c1705219950628faeb5291ee5c604d74 228243
node-handlebars_4.7.9.orig.tar.gz
79d9b937e1bcb76768f87653ce6c1bccea103fae 60716
node-handlebars_4.7.9-1.debian.tar.xz
Checksums-Sha256:
ef62408fd4c0feadca067344cc0ef5ef1f21afdb3c494e4ddcd5994a15c93239 2691
node-handlebars_4.7.9-1.dsc
ea6293f29ca65b587f539bbf9d0d6028327c24ea2cfd6b5748f581cd0f3a26f0 228243
node-handlebars_4.7.9.orig.tar.gz
ff56794c8267bbc60438cf540bfd84a8e61fc2c9f1ea56d68a2c6a7db8ca5be1 60716
node-handlebars_4.7.9-1.debian.tar.xz
Files:
451e5817a4a5d39fff37faa0e4ad86ee 2691 javascript optional
node-handlebars_4.7.9-1.dsc
5d12c0e0508b306a545eb51f87d7026a 228243 javascript optional
node-handlebars_4.7.9.orig.tar.gz
b667bca47d2cf63ace73ee682fc9be3c 60716 javascript optional
node-handlebars_4.7.9-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmnJBmEACgkQ9tdMp8mZ
7umg2hAAlTARsnhRjaYhxhBI70V4TFC4kvYBtvZU1uvsDvO95hv+N7ZqwVQyzaCv
pFdolnRpO0JEMj3PianzBi8sNz7ub+212ezbGqv8IP0AdlH/LS3PkXvgbF//YbNo
WAjMlO7KoteWvMihfTWU2vbZBUrQqX8u1nkzYs0GOe7fkrhuyoWUQH9yywjL1M5W
Yj+bjALrIBYiP+J8zkI/6KtMBjnX3kiGkt1TymOn6bZthjj9/XfxumYk5DHhEqgd
LZuJisu9kd6lhP1Bq0JLSfdnOQGobGJfpQcf7wCL5OPodaHFt0Oxv5C3rxwzlzFK
Ha10vHmvgdYHgiV2apclmW3PuZp9RpJXyDNt4W7YcaSCP8eI3e6e33frc/fMwOSP
6MEaBn+bJcSS8zRzKcNCisMjbQzm0W1xeKXweQ3/bfPxuJO8i37PCjsPYvUOqgt3
SRnV9ax7mmTOntnfgvWLsUdOClPcLGGxm7HItm7KaIoD4axKtGwCS2lpJcuJBb8j
7CskbYeLq1N2HzZvJQnVyTgRApquhZKUWuwIJ1b5SNEdSRMe5osVMdW9IlqoOYUr
yGaf9omfizwX2psp9IC6HsfhN9qB3R9RofQIWUOARzJ45TZQwcAqBDVB6rjfrSBP
YGC3lIwwv3wiEsRzSNd2jXxBTo7yJjiNrDIjBegYpe0abGV36js=
=OICZ
-----END PGP SIGNATURE-----
pgpMfPNcHGZW4.pgp
Description: PGP signature
--- End Message ---
