Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, a crafted object placed in the template context …

A critical vulnerability in Handlebars versions 4.0.0 through 4.7.8 allows attackers to execute arbitrary commands on the server through crafted objects in template context. The vulnerability bypasses conditional guards in resolvePartial() and causes invokePartial() to return undefined, leading to compilation of malicious Handlebars AST containing injected code. The attack requires adversary control over values returned by dynamic partial lookups. Fixed in version 4.7.9 with workarounds available including using runtime-only builds, sanitizing context data, and avoiding dynamic partial lookups with user-controlled data.