Skip to content

[Security] [GHSA-2w6w-674q-4c4q] Critical JavaScript Injection in handlebars (transitive via ts-jest) #1476

New issue
New issue
Open
Open
[Security] [GHSA-2w6w-674q-4c4q] Critical JavaScript Injection in handlebars (transitive via ts-jest)#1476
Labels
dependenciesPull requests that update a dependency filesecurity
@github-actions

Description

@github-actions
github-actions
bot
opened on Mar 28, 2026

Security Vulnerability Report

Summary

  • Package: handlebars
  • Affected Version: 4.7.8 (current)
  • Fixed Version: 4.7.9
  • Severity: CRITICAL
  • GHSA: GHSA-2w6w-674q-4c4q
  • CVSS Score: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Vulnerability Details

handlebars@4.7.8 contains multiple vulnerabilities (all fixed in 4.7.9):

GHSA Severity CVSS Title
GHSA-2w6w-674q-4c4q CRITICAL 9.8 JavaScript Injection via AST Type Confusion
GHSA-xjpj-3mr7-gcpf HIGH 8.3 JavaScript Injection in CLI Precompiler via Unescaped Names and Options
GHSA-xhpv-hc6g-r9c6 HIGH 8.1 JavaScript Injection via AST Type Confusion (object as dynamic partial)
GHSA-3mfm-83xf-c92r HIGH 8.1 JavaScript Injection via tampering @partial-block
GHSA-9cx6-37pm-9jff HIGH 7.5 Denial of Service via Malformed Decorator Syntax in Template Compilation
GHSA-2qvq-rjwj-gvw9 MODERATE 4.7 Prototype Pollution Leading to XSS through Partial Template Injection

The most severe issue (CVSS 9.8) allows JavaScript injection via AST type confusion. An attacker who can control template input can execute arbitrary JavaScript code through type confusion in the Handlebars AST processor.

Dependency Chain

gh-aw-firewall (dev)
  └── ts-jest@^29.4.6
        └── handlebars@^4.7.8  ← vulnerable (4.7.8 installed, 4.7.9 fixes all issues)

This is a devDependency used only in the test pipeline (ts-jest), so it does not affect the firewall runtime or production behavior. However, a compromised test pipeline could still impact developer machines and CI environments.

Impact on gh-aw-firewall

Since handlebars is pulled in only as a transitive dev dependency through ts-jest, the attack surface is limited to:

  • Developer workstations running npm test
  • CI/CD build runners executing the test suite

Runtime firewall behavior is not affected. Nevertheless, as a security-critical project, the test toolchain should also maintain a clean vulnerability profile.

Remediation Steps

  1. Recommended Fix: npm audit fix upgrades handlebars to 4.7.9 (patch update, no breaking changes)
  2. Command: npm audit fix
  3. This is being tracked in a companion dependency update PR.

Testing Required

  • Run full test suite after update: npm test
  • Verify no regressions in ts-jest behaviour

References

Detection Details

  • Detected by: Dependency Security Monitor Workflow
  • Detection Time: 2026-03-28T00:53:03Z
  • Source: npm audit

Generated by Dependency Security Monitor ·

  • expires on Apr 27, 2026, 12:57 AM UTC

Metadata

Metadata

Assignees

No one assigned

    Labels

    dependenciesPull requests that update a dependency filesecurity

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions