GHSA-442J-39WM-28R2 Handlebars.js has a Property Access Validation Bypass in container.lookup

Summary In lib/handlebars/runtime.js, the container.lookup function uses container.lookupProperty as a gate check to enforce prototype-access controls, but then discards the validated result and performs a second, unguarded property access depthsiname. This Time-of-Check Time-of-Use TOCTOU patter...

GHSA-2QVQ-RJWJ-GVW9 Handlebars.js has Prototype Pollution Leading to XSS through Partial Template Injection

Summary resolvePartial in the Handlebars runtime resolves partial names via a plain property lookup on options.partials without guarding against prototype-chain traversal. When Object.prototype has been polluted with a string value whose key matches a partial reference in a template, the polluted...

Handlebars.js has Prototype Pollution Leading to XSS through Partial Template Injection

Summary resolvePartial in the Handlebars runtime resolves partial names via a plain property lookup on options.partials without guarding against prototype-chain traversal. When Object.prototype has been polluted with a string value whose key matches a partial reference in a template, the polluted...