fix(security): Fix security issue in handlebars via minor version upgrade from 4.7.8 to 4.7.9 by aikido-autofix[bot] · Pull Request #1708 · lifinance/contracts

aikido-autofix · 2026-04-13T08:28:38Z

Upgrade Handlebars to fix critical RCE via AST injection, medium proto-access bypass, and low TOCTOU property lookup vulnerability.

✅ 3 CVEs resolved by this upgrade, including 1 critical 🚨 CVE

This PR will resolve the following CVEs:

Issue	Severity	Description
CVE-2026-33937	🚨 CRITICAL	[handlebars] A vulnerability in `Handlebars.compile()` allows attackers to inject arbitrary JavaScript through crafted AST objects, enabling Remote Code Execution when the `NumberLiteral` value field is emitted without sanitization.
GHSA-7rx3-28cr-v5wh	MEDIUM	[handlebars] A prototype method blocklist omits `__lookupSetter__` while blocking its symmetric counterparts, allowing prototype pollution when the non-default `allowProtoMethodsByDefault: true` option is set. This creates an inconsistent security boundary enabling potential code execution or object manipulation through template injection.
GHSA-442j-39wm-28r2	LOW	[handlebars] A Time-of-Check Time-of-Use (TOCTOU) vulnerability in the `lookup()` function allows prototype pollution and property access bypass when the compat option is enabled, potentially leading to information disclosure or code execution. The security check via `lookupProperty()` is discarded, and an unguarded property access is performed instead.

fix(security): update handlebars from 4.7.8 to 4.7.9

6345076

aikido-autofix Bot added the Aikido Label created by Aikido AutoFix label Apr 13, 2026

lifi-action-bot marked this pull request as draft April 13, 2026 08:28

lifi-action-bot added the AuditNotRequired label Apr 13, 2026

Provide feedback