web
You’re offline. This is a read only version of the page.
close
Skip to main content

Announcements

Welcome to the Power Platform Communities
🚀 Season of Sharing Community Challenge Launch!
Ask A Community Pro - Series II
News and Announcements icon
Community site session details

Community site session details

Session Id :
Power Platform Community / Forums / Power Pages / Vulnerable Handlebars ...
Power Pages
Suggested Answer

Vulnerable Handlebars (v4.7.7) detected in Power Pages portal scripts

(0) ShareShare
ReportReport
Posted on by SG-20050729-0 2

Description

We are seeing a vulnerability flagged during security scanning in a Power Pages portal.

  • Issue: Handlebars v4.7.7 (known security issues)
  • Source:
    • https://content.powerapps.com/resource/powerappsportal/dist/postpreform.BootstrapV5.bundle-<hash>.js
  • This script is Microsoft-managed and not part of our custom code.

Concern

Since the dependency is coming from the portal runtime:

  • We cannot upgrade or override it
  • This is impacting our security compliance

Ask

  • Is this a known dependency in Power Pages?
  • Is it already mitigated or a false positive?
  • Any timeline or workaround to address this?
     
handlebars.png

Your file is currently under scan for potential threats. Please wait while we review it for any viruses or malicious content.

Categories:
Security
Power Apps portals
I have the same question (0)
  • Suggested answer
    Jerald Felix Profile Picture
    Jerald Felix 378 Super User 2026 Season 1 on at
    Hello  SG-20050729-0,
     
    Greetings!
     
    Thanks for raising this question in the Q&A forum.

    This is happening because Power Pages loads certain JavaScript libraries (like Handlebars v4.7.7) as part of its built-in portal runtime scripts managed entirely by Microsoft. Since these scripts are not part of your custom code, your security scanner is picking them up and flagging them as vulnerabilities, even though you have no direct control over them.

    Here is what you can do about it:
     
    1. First, confirm that the flagged script URL (postpreform.BootstrapV5.bundle.js) is indeed coming from content.powerapps.com and not from any custom code you have added to your portal. This helps clearly establish that it is a Microsoft-owned dependency.
    2. Raise a support ticket directly with Microsoft through the Power Platform Admin Center. Mention the specific CVE numbers your scanner flagged, the script URL, and that this is a platform-managed file outside your control. Microsoft's engineering team can confirm whether this is already patched or being tracked.
    3. While waiting for Microsoft's response, document this finding in your security compliance report as a third-party vendor managed dependency. Most compliance frameworks allow you to record a risk acceptance note for vulnerabilities that are outside your team's control, so this should help unblock your audit.
    4. Keep an eye on the Power Pages release notes at learn.microsoft.com as Microsoft regularly updates platform dependencies. The fix may already be rolling out in a newer portal version.
    5. You can also check if the specific vulnerable code path in Handlebars is actually reachable within your portal's usage. In many cases, scanners flag a library version without checking if the dangerous function is ever called, making it a false positive in practice.
    If this answer helps you kindly accept the answer which will help others who have similar questions.

    Best Regards,
    Jerald Felix
  • SG-20050729-0 Profile Picture
    SG-20050729-0 2 on at

    The reported vulnerability related to Handlebars v4.7.7 is classified as a false positive in the context of Power Pages.

    Although the library version has known vulnerabilities, Microsoft has confirmed through independent third‑party penetration testing and internal SDL (Secure Development Lifecycle) reviews that the way this library is implemented within Power Pages does not expose any exploitable attack surface.

    As per there analysis :-

    • The identified issue is theoretical in nature and does not result in any demonstrated exploit or breach in the current deployment.
    • Microsoft has performed annual security assessments, validating that the implementation is secure and non-exploitable.
    • The platform uses controlled and reviewed usage of third‑party libraries, ensuring vulnerable methods are not utilized.
    • Upgrading the library version is not mandatory unless there is a real, exploitable risk, as unnecessary upgrades may introduce regression or compatibility issues.
    • Additional platform-level protections and mitigations are already in place, reducing any residual risk.

    Given these validations, no remediation action is required at the application level. The finding does not pose an actual security risk.

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

News and Announcements

Welcome to the Power Platform Communities
🚀 Season of Sharing Community Challenge Launch!
Ask A Community Pro - Series II

Quick Links

Season of Sharing Community Challenge Launch!

Jump in, show your community spirit, and win prizes!

Kudos to our 2025 Community Spotlight Honorees

Expanding mentorship, skilling, and AI innovation

Congratulations to the May Top 10 Community Leaders!

These are the community rock stars!

Leaderboard > Power Pages

#1
11manish Profile Picture

11manish 42

#2
omkarsupreme Profile Picture

omkarsupreme 24

#3
Valantis Profile Picture

Valantis 22

Last 30 days Overall leaderboard

Featured topics

Solution to LinkedIn Authentication in Power Apps Portals
Welcome to the Power Pages forum!

Product updates

Microsoft Power Platform Community release plans