diff --git a/build.gradle b/build.gradle
index 5e8e63be..c8a04271 100644
--- a/build.gradle
+++ b/build.gradle
@@ -58,6 +58,14 @@ ext {
     jackson_version = "2.22.0"
 }
 
+configurations.testRuntimeClasspath {
+    // handlebars 4.3.1 (pulled in by wiremock) has a path traversal CVE fixed in 4.5.2.
+    // WireMock 3.x hasn't backported the fix — only the 4.x beta line has.
+    // We force the core jar only; handlebars-helpers cannot be forced to 4.5.2 because
+    // NumberHelper moved packages between versions, which breaks WireMock at runtime.
+    resolutionStrategy.force 'com.github.jknack:handlebars:4.5.2'
+}
+
 dependencies {
     implementation "com.google.code.findbugs:jsr305:3.0.2"