Prototype pollution in handlebars.js - #VU124847
Published: April 2, 2026
Vulnerability identifier: #VU124847
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: N/A
CWE-ID: CWE-1321
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: The Handlebars Templating Language
Affected software:
handlebars.js
handlebars.js
Detailed vulnerability description
The vulnerability allows a remote attacker to disclose sensitive information and modify data.
The vulnerability exists due to improper access control in lib/handlebars/internal/proto-access.js when processing templates with the non-default allowProtoMethodsByDefault option enabled. A remote attacker can access the __lookupSetter__ prototype method to disclose sensitive information and modify data.
This issue affects the prototype method blocklist because __lookupSetter__ is omitted while related accessor helper methods remain blocked. The default configuration is not affected, and exploitation is only possible when allowProtoMethodsByDefault is explicitly set to true.
Remediation
Install security update from vendor's website.