VYPR
← All advisories
High severity7.5NVD Advisory· Published Jun 17, 2026· Updated Jun 17, 2026

handlebars.java FileTemplateLoader Path Traversal

CVE-2026-55760

Description

Impact

Any application that passes user-controlled input to Handlebars.compile() using a FileTemplateLoader (or ClassPathTemplateLoader) is vulnerable to arbitrary file read. This is a realistic attack surface for web applications that use template names from URL path parameters, request parameters, or other user-controlled sources.

### Patches com.github.jknack:handlebars:4.5.2

Workarounds

Validate template name is derived from user input.

if (!file.getPath().startsWith(new File(prefix).getCanonicalPath())) {
        throw new IOException("Path traversal attempt detected: " + location);
}

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2

Patches

Vulnerability mechanics

Root cause

"Missing path canonicalization and validation in FileTemplateLoader allows path traversal via user-controlled template names."

Attack vector

An attacker supplies a crafted template name (e.g., containing `../` sequences) via URL path parameters, request parameters, or other user-controlled input to `Handlebars.compile()` when a `FileTemplateLoader` or `ClassPathTemplateLoader` is in use [CWE-22]. The loader does not validate or canonicalize the path before reading the file, enabling the attacker to read arbitrary files outside the configured template prefix directory. No authentication is required beyond the ability to reach the vulnerable endpoint.

Affected code

The vulnerability resides in the `FileTemplateLoader` (and `ClassPathTemplateLoader`) classes of the `com.github.jknack:handlebars` Java library. When user-controlled input is passed to `Handlebars.compile()` using these loaders, the template name is not sanitized, allowing path traversal sequences such as `../` to escape the intended template directory.

What the fix does

The patch in version 4.5.2 adds a canonical-path check inside the template loader: it resolves both the configured prefix directory and the requested file to their canonical paths and verifies that the file's path starts with the prefix's canonical path. If the check fails, an `IOException` is thrown, preventing any read outside the allowed directory. This closes the path-traversal hole by ensuring that `../` sequences cannot escape the template root.

Preconditions

  • configThe application must use `FileTemplateLoader` or `ClassPathTemplateLoader` and pass user-controlled input to `Handlebars.compile()`.
  • inputThe attacker must be able to supply a template name (e.g., via URL path or request parameter) that includes path-traversal sequences.

Generated on Jun 17, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

2

News mentions

0

No linked articles in our index yet.