Local file read and RCE errors have been linked to Express.js and Handlebars usage
A vulnerability in a Node.js web application framework could be exploited to achieve remote code execution (RCE).
Made public by self-described “wannabe” security researcher Shoeb ‘CaptainFreak’ Patel on January 23, the research suggests that Express.js may be susceptible to local file read errors. When combined with an old version of the Handlebars engine, this flaw could also be exploited to remotely execute malicious code.
Handlebars is a popular templating engine for web applications.
Speaking to The Daily Swig, Patel said that he decided to hunt for vulnerabilities in Node.js, Express.js, and Handlebars due to his familiarity with the code as a developer.
‘Dependency hell’
In a technical writeup, Patel said that last week, he “stumbled across” a critical local file read security issue which only required a payload of fewer than 10 lines of code to turn it into a potential RCE exploit.
The developer said they were “surprised and disillusioned” by the bug, laying the blame on ‘dependency hell’ – a common development issue experienced when software relies on potential remote execution vulnerability uncovered
