CVE-2014-0014
Description
Ember.js 1.0.x before 1.0.1, 1.1.x before 1.1.3, 1.2.x before 1.2.1, 1.3.x before 1.3.1, and 1.4.x before 1.4.0-beta.2 allows remote attackers to conduct cross-site scripting (XSS) attacks by leveraging an application using the "{{group}}" Helper and a crafted payload.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Ember.js {{group}} helper does not escape HTML, leading to cross-site scripting (XSS).
Vulnerability
CVE-2014-0014 is a cross-site scripting (XSS) vulnerability in the Ember.js JavaScript framework. The flaw resides in the {{group}} Handlebars helper which fails to properly escape HTML output. Affected versions include Ember.js 1.0.x before 1.0.1, 1.1.x before 1.1.3, 1.2.x before 1.2.1, 1.3.x before 1.3.1, and 1.4.x before 1.4.0-beta.2 [1][2]. An application that uses the {{group}} helper is vulnerable if it passes user-controlled content to that helper without additional escaping [3].
Exploitation
An attacker can exploit this vulnerability by crafting a payload containing malicious HTML or JavaScript and injecting it into a field that is rendered via the {{group}} helper [1][3]. No special network position is required beyond the ability to deliver the payload to the application (e.g., via a form field or URL parameter). The attacker does not need prior authentication if the application exposes the {{group}} helper to unauthenticated users [2]. The vulnerable helper does not escape the result unless the Handlebars.SafeString type is used, allowing script injection [4].
Impact
Successful exploitation leads to cross-site scripting (XSS), allowing the attacker to execute arbitrary JavaScript in the context of the victim's session [1]. This can result in data theft, session hijacking, defacement, or further attacks against users of the affected application [2].
Mitigation
Upgrade to a fixed version: Ember.js 1.0.1, 1.1.3, 1.2.1, 1.3.1, or 1.4.0-beta.2 or later [1][3]. The fix ensures that the {{group}} helper properly escapes HTML unless the unescaped option is explicitly set [4]. No workaround is available for vulnerable versions; users must update. This CVE is not listed in the Known Exploited Vulnerabilities (KEV) catalog.
- NVD - CVE-2014-0014
- GitHub - emberjs/ember.js: Ember.js - A JavaScript framework for creating ambitious web applications
- ruby-advisory-db/gems/ember-source/CVE-2014-0014.yml at master · rubysec/ruby-advisory-db
- [SECURITY CVE-2014-0014] Ensure {{group}} helper escapes properly. · emberjs/ember.js@12fa46b
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
ember-sourceRubyGems | >= 1.0.0.pre4.0, < 1.0.1 | 1.0.1 |
ember-sourceRubyGems | >= 1.1.0, < 1.1.3 | 1.1.3 |
ember-sourceRubyGems | >= 1.2.0.beta.1, < 1.2.1 | 1.2.1 |
ember-sourceRubyGems | >= 1.3.0.beta.1, < 1.3.1 | 1.3.1 |
ember-sourceRubyGems | >= 1.4.0-beta.1, < 1.4.0-beta.2 | 1.4.0-beta.2 |
Affected products
1Patches
112fa46ba1c6e[SECURITY CVE-2014-0014] Ensure {{group}} helper escapes properly.
2 files changed · +26 −1
packages/ember-handlebars/lib/helpers/binding.js+9 −1 modified@@ -120,7 +120,15 @@ function simpleBind(currentContext, property, options) { }; var result = handlebarsGet(currentContext, property, options); - if (result === null || result === undefined) { result = ""; } + if (result === null || result === undefined) { + result = ""; + } else if (!(result instanceof Handlebars.SafeString)) { + result = String(result); + } + if (!options.hash.unescaped){ + result = Handlebars.Utils.escapeExpression(result); + } + data.buffer.push(result); } else { var bindView = new Ember._SimpleHandlebarsView(
packages/ember-handlebars/tests/helpers/group_test.js+17 −0 modified@@ -214,3 +214,20 @@ test("#each with itemViewClass behaves like a normal bound #each", function() { // IE likes to add newlines equal(trim(view.$().text()), 'ErikPeterTom'); }); + +test("should escape HTML in normal mustaches", function() { + createGroupedView( + '{{msg}}', {msg: 'you need to be more <b>bold</b>'} + ); + appendView(); + equal(view.$('b').length, 0, "does not create an element"); + equal(view.$().text(), 'you need to be more <b>bold</b>', "inserts entities, not elements"); +}); + +test("should not escape HTML in triple mustaches", function() { + createGroupedView( + '{{{msg}}}', {msg: 'you need to be more <b>bold</b>'} + ); + appendView(); + equal(view.$('b').length, 1, "creates an element"); +});
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- github.com/advisories/GHSA-rcx6-7jp6-pqf2ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2014-0014ghsaADVISORY
- emberjs.com/blog/2014/01/14/ember-security-releases.htmlghsax_refsource_CONFIRMWEB
- www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.htmlghsax_refsource_CONFIRMWEB
- github.com/emberjs/ember.js/commit/12fa46ba1c6efb9ddac7bfdef7f4f6909781c801ghsaWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/ember-source/CVE-2014-0014.ymlghsaWEB
- groups.google.com/forum/ghsaWEB
- groups.google.com/forum/mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.