GHSA-442j-39wm-28r2: Handlebars.js has a Property Access Validation Bypass in container.lookup
In lib/handlebars/runtime.js, the container.lookup() function uses container.lookupProperty() as a gate check to enforce prototype-access controls, but then discards the validated result and performs a second, unguarded property access (depths[i][name]). This Time-of-Check Time-of-Use (TOCTOU) pattern means the security check and the actual read are decoupled, and the raw access bypasses any sanitization that lookupProperty may perform.
Only relevant when the compat compile option is enabled ({compat: true}), which activates depthedLookup in lib/handlebars/compiler/javascript-compiler.js.
References
- github.com/advisories/GHSA-442j-39wm-28r2
- github.com/handlebars-lang/handlebars.js
- github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2
- github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9
- github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-442j-39wm-28r2
Code Behaviors & Features
Detect and mitigate GHSA-442j-39wm-28r2 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →