VYPR
Moderate severityNVD Advisory· Published Aug 16, 2021· Updated Aug 3, 2024

File disclosure in hbs

CVE-2021-32822

Description

The npm hbs package is an Express view engine wrapper for Handlebars. Depending on usage, users of hbs may be vulnerable to a file disclosure vulnerability. There is currently no patch for this vulnerability. hbs mixes pure template data with engine configuration options through the Express render API. By overwriting internal configuration options a file disclosure vulnerability may be triggered in downstream applications. For an example PoC see the referenced GHSL-2021-020.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
hbsnpm
<= 4.1.2

Affected products

2
  • ghsa-coords
    Range: <= 4.1.2
  • pillarjs/hbsv5
    Range: all

Patches

Vulnerability mechanics

References

4

News mentions

0

No linked articles in our index yet.