测试版 Shoulder 目前处于测试阶段 — 结果有时可能不正确。您的反馈塑造我们接下来要修复的内容。 分享反馈
Shoulder.dev

开发者威胁情报
FIX SOON No patch yet
High impact vulnerability.
No patch available yet. Apply workarounds and monitor.

Handlebars prototype pollution

Arbitrary code execution when compiling untrusted templates

Severity CVSS CRITICAL 9.8
Exploitation Shoulder No known exploits
Fix available No patch yet
CVE-2021-23369 npm / Handlebars

Should I care?

This matters if:
  • Apps rendering user-supplied HTML or data into web pages
  • Server-side template rendering with user input
  • Apps using eval(), Function(), or dynamic code execution
  • Template engines with expression support
Not relevant if:
  • You render no user-controlled content
  • All output is escaped or uses a safe templating engine
  • No dynamic code evaluation in your codebase
  • All input is validated before processing

How to fix

How it breaks apps

1 User input reaches page
2 Content rendered without escaping
3 Script executes in victim browser
4 Session hijack or data theft

Affected packages

npm Handlebars

Is this in your code?

Shoulder scans your codebase and tells you if CVE-2021-23369 is reachable — not just present.

npx @shoulderdev/cli trust .
Technical details

Risk by Environment

Production (public-facing) HIGH
Patch soon. Exploitation requires specific conditions but impact is severe.
Staging MEDIUM
Schedule patch. Review if this environment is network-accessible.
Internal services MEDIUM
Assess exposure. Patch if the service handles sensitive data.
Local dev only LOW
Minimal risk in isolated dev environments.

AI Development Risk

This vulnerability pattern is commonly introduced when AI generates code.

CWE-79
Cross-site scripting
LLMs often generate HTML rendering code that interpolates user input without escaping.
CWE-94
Code injection
AI-generated code commonly uses eval(), template literals, or dynamic function construction without sanitization.

Detection Rules 14 rules

CWE-79 4 rules

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Angular Unsafe Security Context Bypass
Angular Unsafe Property Binding
Cross-Site Scripting (XSS) via Response
CWE-94 10 rules

Improper Control of Generation of Code ('Code Injection')

Code Injection via os/exec
LLM Insecure Output Handling
Server-Side Template Injection

External References

NVD View on NVD →
MITRE View on MITRE →
Back to Ecosystem Intelligence Browse CWE Index