Page MenuHomePhabricator
Create Task
Maniphest T424285

Flow ships Handlebars 3.0.0 with known security vulnerabilities
Open, LowPublicSecurity
Actions

Description

Flow is in read only mode, but makes use of Handlebars to do client side rendering. We are using an outdated version with known security vulnerabilities.

A quick check on www.mediawiki.org shows one of the vulnerabilities mentioned:

mw.loader.using('mediawiki.template.handlebars').then(()=> {
  var s2 = `<div>template that looks fine but hidden inside the long string is some JS code that might not be eaily seen by the human eye during a casual glance. Sometimes wiki interface admins turn on gadgets with very little code review, maybe only testing it does what it says it does but not looking at what it might be doing in the background</div>{{'a/.") || alert("Handlebars JS when compiling in compat mode'}}<span>things could easily be sneaked in.</div>`; 
  var template = Handlebars.compile(s2, { 
    compat: true 
  }); 
  console.log(template({}))
} );

I don't think we use compat mode, and at a glance we are probably okay for deployed code, but I suspect its worth evaluating the other known security issues to see if they apply.

I suspect surface vector is low, since Flow is not enabled on all wikis. Flow does render messages as HTML for example flow-compare-revisions-header-post.
The most likely use of these vectors from what I can see is it could be used to obscure an attack e.g. adding some code to a wiki page and then executing it indirectly through Handlebars but that would require edit access to the gadget namespace.

Details

Risk Rating
Low
Author Affiliation
WMF Product

Event Timeline

Jdlrobson-WMF created this task.Apr 23 2026, 11:46 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptApr 23 2026, 11:46 PM
Catrope added a project: Security.Apr 23 2026, 11:47 PM
Catrope changed the subtype of this task from "Task" to "Security Issue".
Catrope removed a project: WMF-NDA.
Catrope changed the visibility from "Custom Policy" to "Custom Policy".
Catrope added a project: Security-Team.Apr 23 2026, 11:49 PM
Restricted Application added a project: Product Safety and Integrity. · View Herald TranscriptApr 23 2026, 11:49 PM
Novem_Linguae subscribed.Apr 24 2026, 12:09 AM
Rsilvola assigned this task to Catrope.Apr 27 2026, 4:40 PM
sbassett moved this task from Incoming to In Progress on the Security-Team board.Apr 27 2026, 4:40 PM
sbassett edited projects, added SecTeam-Processed, Vuln-VulnComponent; removed Product Safety and Integrity.
Catrope added a comment.Apr 27 2026, 11:37 PM

I don't think these vulnerabilities affect us directly, but it doesn't hurt to upgrade. I've submitted a public patch to upgrade Handlebars at https://gerrit.wikimedia.org/r/c/mediawiki/extensions/Flow/+/1277782 , without reference to security vulnerabilities or to this task. Once that has ridden the train I think we can make this task public.

Jdforrester-WMF subscribed.Apr 28 2026, 10:57 AM

Landed; this'll go out in 1.47.0-wmf.1 (and not REL1_46), so if you want to announce this'll need to be back-ported to release branches etc.

sbassett subscribed.May 5 2026, 6:42 PM

This is now tracked under the next supplemental security release (T421273). And we can make this task public (if we'd like to) after this week.

sbassett triaged this task as Low priority.Mon, May 11, 4:17 PM
sbassett changed Author Affiliation from N/A to WMF Product.
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".
sbassett changed the edit policy from "Custom Policy" to "All Users".
sbassett changed Risk Rating from N/A to Low.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits