CVE-2026-33939
TypeError-Induced Denial of Service in Handlebars Template Compiler
Publication date: 2026-03-27
Last updated on: 2026-03-31
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| handlebarsjs | handlebars | From 4.0.0 (inc) to 4.7.9 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-754 | The product does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the product. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Handlebars versions 4.0.0 through 4.7.8. When a Handlebars template contains decorator syntax referencing an unregistered decorator (for example, {{*n}}), the compiled template calls a function that returns undefined. The runtime then tries to invoke this undefined value as a function, which causes an unhandled TypeError and crashes the Node.js process.
Any application that compiles user-supplied templates without wrapping the compilation call in a try/catch block is vulnerable to a single-request Denial of Service (DoS) attack.
Version 4.7.9 of Handlebars fixes this issue. Workarounds include wrapping compilation and rendering in try/catch blocks, validating template input to reject templates containing decorator syntax if decorators are not used, and using a pre-compilation workflow to compile templates at build time instead of at request time.
How can this vulnerability impact me? :
This vulnerability can cause a Denial of Service (DoS) by crashing the Node.js process when an unregistered decorator is referenced in a user-supplied Handlebars template. This means that an attacker can send a specially crafted template that triggers the crash, causing the application to become unavailable.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability occurs when a Handlebars template contains decorator syntax referencing an unregistered decorator, causing a Node.js process crash due to an unhandled TypeError.
To detect this vulnerability, you should check if your application compiles user-supplied templates without wrapping the compilation and rendering calls in try/catch blocks.
Additionally, inspect templates for the presence of decorator syntax (e.g., {{*n}}) that might be unregistered.
There are no specific commands provided in the available information to detect this vulnerability on your network or system.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include:
- Wrap the compilation and rendering of Handlebars templates in try/catch blocks to handle potential errors gracefully.
- Validate template input before passing it to the compile() function; specifically, reject templates containing decorator syntax ({{*...}}) if decorators are not used in your application.
- Use the pre-compilation workflow by compiling templates at build time and serving only pre-compiled templates, avoiding calls to compile() at request time.
- Upgrade Handlebars to version 4.7.9 or later, where this issue is fixed.