CVE-2026-33940
Arbitrary Code Execution via Dynamic Partial Injection in Handlebars
Publication date: 2026-03-27
Last updated on: 2026-03-31
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| handlebarsjs | handlebars | From 4.0.0 (inc) to 4.7.9 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
| CWE-843 | The product allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Handlebars versions 4.0.0 through 4.7.8. It allows an attacker who can control a value returned by a dynamic partial lookup to bypass all conditional guards in the resolvePartial() function. This causes invokePartial() to return undefined, leading the Handlebars runtime to treat the unresolved partial as a source that needs compilation. The crafted object is a valid Handlebars AST containing injected code, which results in arbitrary JavaScript code execution on the server.
The issue is fixed in version 4.7.9. Workarounds include using the runtime-only build to avoid fallback compilation, sanitizing context data to ensure no non-primitive objects are passed to dynamic partials, and avoiding dynamic partial lookups when context data is user-controlled.
How can this vulnerability impact me? :
This vulnerability can lead to arbitrary code execution on the server where Handlebars is used. An attacker who controls certain input can execute malicious JavaScript code, potentially compromising the server's confidentiality, integrity, and availability.
- Confidentiality impact: Sensitive data on the server could be exposed.
- Integrity impact: Attackers could modify data or application behavior.
- Availability impact: The server or application could be disrupted or taken down.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade Handlebars to version 4.7.9 or later, where the issue is fixed.
- Use the runtime-only build (require('handlebars/runtime')) to avoid fallback compilation paths.
- Sanitize context data before rendering to ensure no value in the context is a non-primitive object that could be passed to a dynamic partial.
- Avoid dynamic partial lookups (e.g., {{> (lookup ...)}}) when context data is user-controlled.