CVE-2021-32822: 
JavaScript vulnerability analysis and mitigation

The npm hbs package, an Express view engine wrapper for Handlebars, was identified with a file disclosure vulnerability (CVE-2021-32822). The vulnerability was discovered in version v4.1.1 and reported on January 25, 2021, with public disclosure on May 27, 2021. This security issue affects applications using the hbs template engine that pass user-controlled data directly through the Express render API (GitHub Advisory).

The vulnerability stems from hbs mixing pure template data with engine configuration options through the Express render API. The Express render API was originally designed to only pass template data, but when template engine configuration options are passed through it directly, it can lead to security issues. This occurs particularly when applications pass user-controlled objects (like req.query) directly into the render engine. The vulnerability has been assigned CWE-538 and CWE-200 classifications, relating to file information disclosure (NVD Report).

The primary impact of this vulnerability is file disclosure, where an attacker could potentially access sensitive files on the system. When exploited, the vulnerability allows attackers to retrieve contents of arbitrary files by manipulating the template engine configuration options (GitHub Advisory).

The vulnerability was reported to the maintainer on January 25, 2021, and acknowledged on January 28, 2021. Applications should avoid passing user-controlled objects directly to the render function and ensure proper validation of input data. Additionally, developers should review their template engine configuration handling to ensure it aligns with Express's intended design (GitHub Advisory).