Handlebars.js versions prior to 4.7.9 are vulnerable to unauthenticated Remote Code Execution if an attacker can provide a malicious AST object to the template compiler.

The Handlebars.compile() function accepts pre-parsed Abstract Syntax Tree (AST) objects. The value field of a NumberLiteral node is injected directly into generated JavaScript without sanitization. An unauthenticated attacker who can control the input to compile() can execute arbitrary JavaScript on the server.

This is a critical RCE vulnerability in a widely used library. Successful exploitation allows an attacker to execute code with the privileges of the Node.js process, leading to full server takeover and data compromise. The CVSS score of 9.8 reflects the severity and potential for widespread impact across numerous applications.

Immediate Action: Update the handlebars package to version 4.7.9 or later in all project dependencies.

Proactive Monitoring: Audit application code to ensure that Handlebars.compile() is only called with trusted string inputs and never with objects derived from user-supplied JSON.

Compensating Controls: Use the Handlebars runtime-only build (handlebars/runtime) in production environments where templates are pre-compiled, as this build does not include the vulnerable compile() function.

Public Exploit Available: false

Updating to version 4.7.9 is the most effective mitigation. Developers should also adopt the practice of pre-compiling templates and using the runtime-only version of Handlebars in production to eliminate the risk of dynamic compilation vulnerabilities entirely.