CVE-2026-33939
Published: 27 March 2026
Summary
CVE-2026-33939 is a high-severity Improper Check for Unusual or Exceptional Conditions (CWE-754) vulnerability in Handlebarsjs Handlebars. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 22.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-11 (Error Handling).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Remediates the specific flaw in Handlebars versions 4.0.0-4.7.8 by requiring upgrade to 4.7.9, eliminating the unhandled TypeError crash from invalid decorator syntax.
Directly mitigates the DoS by requiring error handling such as try/catch around template compilation and rendering to prevent Node.js process crashes from unhandled TypeErrors.
Prevents exploitation by validating user-supplied templates and rejecting those containing decorator syntax like {{*n}} before passing to compile().
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes a remote DoS triggered by submitting a malicious template to a public-facing application endpoint that invokes Handlebars.compile() without error handling; this directly matches application or system exploitation to crash the process and deny service (T1499.004).
NVD Description
Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, when a Handlebars template contains decorator syntax referencing an unregistered decorator (e.g. `{{*n}}`), the compiled template calls `lookupProperty(decorators, "n")`, which returns `undefined`. The runtime…
more
then immediately invokes the result as a function, causing an unhandled `TypeError: ... is not a function` that crashes the Node.js process. Any application that compiles user-supplied templates without wrapping the call in a `try/catch` is vulnerable to a single-request Denial of Service. Version 4.7.9 fixes the issue. Some workarounds are available. Wrap compilation and rendering in `try/catch`. Validate template input before passing it to `compile()`; reject templates containing decorator syntax (`{{*...}}`) if decorators are not used in your application. Use the pre-compilation workflow; compile templates at build time and serve only pre-compiled templates; do not call `compile()` at request time.
Deeper analysisAI
CVE-2026-33939 is a denial-of-service vulnerability in Handlebars.js, a templating engine for building semantic templates, affecting versions 4.0.0 through 4.7.8. The issue arises when a template contains decorator syntax referencing an unregistered decorator, such as `{{*n}}`. During compilation, the engine calls `lookupProperty(decorators, "n")`, which returns `undefined`, and then attempts to invoke it as a function. This triggers an unhandled `TypeError: ... is not a function`, crashing the Node.js process. Applications that compile user-supplied templates without wrapping the operation in a `try/catch` block are vulnerable.
The vulnerability has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and is associated with CWE-754 (Improper Check for Unusual or Exceptional Conditions). A remote unauthenticated attacker can exploit it by submitting a malicious template containing invalid decorator syntax to an endpoint that dynamically compiles and renders Handlebars templates. A single request is sufficient to crash the Node.js process, causing a denial of service.
The issue is fixed in Handlebars version 4.7.9. Advisories recommend upgrading to the patched version. Workarounds include wrapping template compilation and rendering in `try/catch` blocks, validating and rejecting user-supplied templates containing decorator syntax (`{{*...}}`) if decorators are not used, or adopting a pre-compilation workflow where templates are compiled at build time and only pre-compiled templates are served at runtime, avoiding `compile()` calls during requests. Relevant resources include the fix commit, release notes for v4.7.9, and the GitHub security advisory GHSA-9cx6-37pm-9jff.
Details
- CWE(s)