ExpressJs used with Handlebars as templating engine (invoked via hbs view engine) is vulnerable to a Local File Read vulnerabilty that allows an attacker to read arbitrary files using the layout parameter. The vulnerability appears when code like the example below is used:

var express = require('express');
var router = express.Router();

router.get('/', function(req, res, next) {
});'/', function(req, res, next) {
	var profile = req.body.profile
 	res.render('index', profile)

module.exports = router;
The problem lies with the following line of code:
res.render('index', profile)


Use the code pattern

res.render('index', { profile })
instead of
res.render('index', profile)


Related Vulnerabilities