Moderate severityNVD Advisory· Published Aug 16, 2021· Updated Aug 3, 2024
File disclosure in hbs
CVE-2021-32822
Description
The npm hbs package is an Express view engine wrapper for Handlebars. Depending on usage, users of hbs may be vulnerable to a file disclosure vulnerability. There is currently no patch for this vulnerability. hbs mixes pure template data with engine configuration options through the Express render API. By overwriting internal configuration options a file disclosure vulnerability may be triggered in downstream applications. For an example PoC see the referenced GHSL-2021-020.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
hbsnpm | <= 4.1.2 | — |
Affected products
2- pillarjs/hbsv5Range: all
Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-7f5c-rpf4-86p8ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-32822ghsaADVISORY
- securitylab.github.com/advisories/GHSL-2021-020-pillarjs-hbsghsaADVISORY
- securitylab.github.com/advisories/GHSL-2021-020-pillarjs-hbs/mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.