BETA Shoulder is in beta — Findings may sometimes be wrong. Your feedback shapes what we fix next. Share feedback
Shoulder.dev

Understand what every change actually did to your system.
FIX SOON No patch yet
High impact vulnerability.
No patch available yet. Apply workarounds and monitor.

Handlebars RCE

Remote code execution via specially crafted templates

Severity CVSS CRITICAL 9.8
Exploitation Shoulder No known exploits
Fix available No patch yet
CVE-2021-23383 npm / Handlebars

Should I care?

This matters if:
  • Apps using eval(), Function(), or dynamic code execution
  • Template engines with expression support
Not relevant if:
  • No dynamic code evaluation in your codebase
  • All input is validated before processing

How to fix

How it breaks apps

1 User input reaches code evaluator
2 Dynamic code is constructed
3 Arbitrary code executes on server
4 Full server compromise

Affected packages

npm Handlebars

Is this in your code?

Shoulder scans your codebase and tells you if CVE-2021-23383 is reachable — not just present.

npx @shoulderdev/cli trust .
Technical details

Risk by Environment

Production (public-facing) HIGH
Patch soon. Exploitation requires specific conditions but impact is severe.
Staging MEDIUM
Schedule patch. Review if this environment is network-accessible.
Internal services MEDIUM
Assess exposure. Patch if the service handles sensitive data.
Local dev only LOW
Minimal risk in isolated dev environments.

AI Development Risk

This vulnerability pattern is commonly introduced when AI generates code.

CWE-94
Code injection
AI-generated code commonly uses eval(), template literals, or dynamic function construction without sanitization.

Detection Rules 10 rules

CWE-94 10 rules

Improper Control of Generation of Code ('Code Injection')

Code Injection via os/exec
LLM Insecure Output Handling
Server-Side Template Injection

External References

NVD View on NVD →
MITRE View on MITRE →
Back to Ecosystem Intelligence Browse CWE Index