CVE-2021-32820

CVE-2021-32820: File disclosure in Express Handlebars

Vendor Express-Handlebars

Product express-handlebars

Weakness CWE-200 · Info exposure

Published May 14, 2021

Last update August 3, 2024

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

01Description

Express-handlebars is a Handlebars view engine for Express. Express-handlebars mixes pure template data with engine configuration options through the Express render API. More specifically, the layout parameter may trigger file disclosure vulnerabilities in downstream applications. This potential vulnerability is somewhat restricted in that only files with existing extentions (i.e. file.extension) can be included, files that lack an extension will have .handlebars appended to them. For complete details refer to the referenced GHSL-2021-018 report. Notes in documentation have been added to help users avoid this potential information exposure vulnerability.

Key dates

02Disclosure timeline

May 14, 2021 CVE published

August 3, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2021-32820

Related vulnerabilities

CVE-2021-32820: File disclosure in Express Handlebars

01Description

02Disclosure timeline

03References

04Related CVE