[Security] [GHSA-2w6w-674q-4c4q] CRITICAL: JavaScript Injection in handlebars (CVSS 9.8)

## Security Vulnerability Report

### Summary
- **Package**: `handlebars`
- **Affected Version**: `4.7.8` (transitive via `ts-jest`)
- **Severity**: `CRITICAL`
- **GHSA**: `GHSA-2w6w-674q-4c4q` (and related: GHSA-xjpj-3mr7-gcpf, GHSA-xhpv-hc6g-r9c6, GHSA-9cx6-37pm-9jff, GHSA-3mfm-83xf-c92r)
- **CVSS Score**: 9.8 (Critical) / AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

### Vulnerability Details

`handlebars@4.7.8` (via `ts-jest`) contains multiple HIGH/CRITICAL vulnerabilities:

1. **GHSA-2w6w-674q-4c4q** (CRITICAL, CVSS 9.8): JavaScript Injection via AST Type Confusion — allows arbitrary code execution through template compilation
2. **GHSA-xjpj-3mr7-gcpf** (HIGH, CVSS 8.3): JavaScript Injection in CLI Precompiler via Unescaped Names and Options
3. **GHSA-xhpv-hc6g-r9c6** (HIGH, CVSS 8.1): JavaScript Injection via AST Type Confusion when passing an object as dynamic partial
4. **GHSA-9cx6-37pm-9jff** (HIGH, CVSS 7.5): Denial of Service via Malformed Decorator Syntax in Template Compilation
5. **GHSA-3mfm-83xf-c92r** (HIGH, CVSS 8.1): JavaScript Injection via AST Type Confusion by tampering `@partial-block`

### Impact on gh-aw-firewall

`handlebars` is a **devDependency** used only by `ts-jest` (test runner). It is **not included in the production bundle** shipped to users, and is **not present in any Docker container images**. The practical risk to end users is low, but the vulnerability should be patched to keep CI environments secure and to avoid false positives in security scans.

### Remediation Steps

1. **Recommended Fix**: Update `handlebars` to `4.7.9` via `npm audit fix`
2. **Command**: `npm audit fix`
3. **Status**: ✅ Fixed in PR — `handlebars` updated from `4.7.8` → `4.7.9` and `brace-expansion` from `5.0.4` → `5.0.5` (moderate DoS fix)

### Testing Required
- [x] All tests pass after update (3 pre-existing failures unrelated to this change)
- [x] No breaking changes detected
- [x] `npm audit` reports 0 vulnerabilities after fix

### References
- [GHSA-2w6w-674q-4c4q](https://github.com/advisories/GHSA-2w6w-674q-4c4q)
- [GHSA-xjpj-3mr7-gcpf](https://github.com/advisories/GHSA-xjpj-3mr7-gcpf)
- [handlebars 4.7.9 release](https://github.com/handlebars-lang/handlebars.js/blob/master/release-notes.md)

### Detection Details
- **Detected by**: Dependency Security Monitor Workflow
- **Detection Time**: 2026-03-29T01:00:09Z
- **Source**: `npm audit`




> Generated by [Dependency Security Monitor](https://github.com/github/gh-aw-firewall/actions/runs/23698140167) · [◷](https://github.com/search?q=repo%3Agithub%2Fgh-aw-firewall+is%3Aissue+%22gh-aw-workflow-call-id%3A+github%2Fgh-aw-firewall%2Fdependency-security-monitor%22&type=issues)
> - [x] expires  on Apr 28, 2026, 1:03 AM UTC

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Security] [GHSA-2w6w-674q-4c4q] CRITICAL: JavaScript Injection in handlebars (CVSS 9.8) #1489

Security Vulnerability Report

Summary

Vulnerability Details

Impact on gh-aw-firewall

Remediation Steps

Testing Required

References

Detection Details

Metadata

Assignees

Labels

Type

Fields

Projects

Milestone

Relationships

Development

[Security] [GHSA-2w6w-674q-4c4q] CRITICAL: JavaScript Injection in handlebars (CVSS 9.8) #1489

Description

Security Vulnerability Report

Summary

Vulnerability Details

Impact on gh-aw-firewall

Remediation Steps

Testing Required

References

Detection Details

Metadata

Metadata

Assignees

Labels

Type

Fields

Projects

Milestone

Relationships

Development

Issue actions