CVE-2026-33939
Received Received - Intake
TypeError-Induced Denial of Service in Handlebars Template Compiler

Publication date: 2026-03-27

Last updated on: 2026-03-31

Assigner: GitHub, Inc.

Description
Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, when a Handlebars template contains decorator syntax referencing an unregistered decorator (e.g. `{{*n}}`), the compiled template calls `lookupProperty(decorators, "n")`, which returns `undefined`. The runtime then immediately invokes the result as a function, causing an unhandled `TypeError: ... is not a function` that crashes the Node.js process. Any application that compiles user-supplied templates without wrapping the call in a `try/catch` is vulnerable to a single-request Denial of Service. Version 4.7.9 fixes the issue. Some workarounds are available. Wrap compilation and rendering in `try/catch`. Validate template input before passing it to `compile()`; reject templates containing decorator syntax (`{{*...}}`) if decorators are not used in your application. Use the pre-compilation workflow; compile templates at build time and serve only pre-compiled templates; do not call `compile()` at request time.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-27
Last Modified
2026-03-31
Generated
2026-06-16
AI Q&A
2026-03-28
EPSS Evaluated
2026-06-14
NVD
CVE-2026-33939
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
handlebarsjs handlebars From 4.0.0 (inc) to 4.7.9 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-754 The product does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the product.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Handlebars versions 4.0.0 through 4.7.8. When a Handlebars template contains decorator syntax referencing an unregistered decorator (for example, {{*n}}), the compiled template calls a function that returns undefined. The runtime then tries to invoke this undefined value as a function, which causes an unhandled TypeError and crashes the Node.js process.

Any application that compiles user-supplied templates without wrapping the compilation call in a try/catch block is vulnerable to a single-request Denial of Service (DoS) attack.

Version 4.7.9 of Handlebars fixes this issue. Workarounds include wrapping compilation and rendering in try/catch blocks, validating template input to reject templates containing decorator syntax if decorators are not used, and using a pre-compilation workflow to compile templates at build time instead of at request time.

Impact Analysis

This vulnerability can cause a Denial of Service (DoS) by crashing the Node.js process when an unregistered decorator is referenced in a user-supplied Handlebars template. This means that an attacker can send a specially crafted template that triggers the crash, causing the application to become unavailable.

Detection Guidance

This vulnerability occurs when a Handlebars template contains decorator syntax referencing an unregistered decorator, causing a Node.js process crash due to an unhandled TypeError.

To detect this vulnerability, you should check if your application compiles user-supplied templates without wrapping the compilation and rendering calls in try/catch blocks.

Additionally, inspect templates for the presence of decorator syntax (e.g., {{*n}}) that might be unregistered.

There are no specific commands provided in the available information to detect this vulnerability on your network or system.

Mitigation Strategies

Immediate mitigation steps include:

  • Wrap the compilation and rendering of Handlebars templates in try/catch blocks to handle potential errors gracefully.
  • Validate template input before passing it to the compile() function; specifically, reject templates containing decorator syntax ({{*...}}) if decorators are not used in your application.
  • Use the pre-compilation workflow by compiling templates at build time and serving only pre-compiled templates, avoiding calls to compile() at request time.
  • Upgrade Handlebars to version 4.7.9 or later, where this issue is fixed.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33939. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart