Prototype Pollution with Remote Code Execution #1495
Description
At the beginning of the year, we were notified by npm-security about a vulnerablity that allowed template creators to execute arbitrary JavaScript code.
By accessing the object's constructor, it is possible to fabricate arbitrary and execute Functions.
In an environment, where Handlebars is executed in a NodeJS environment, this means that anybody who can modify Handlebars templates, can also access the file system, spawn sub-processes and open network connections from the NodeJS-server.
The vulnerabilty has been fixed in version 4.0.13 and 4.1.0 by forbidding access to the constructor.
So far, we have not been able to reproduce the vulnerability with 3.x versions.