CVE-2026-33939
Published: 27 March 2026
Summary
CVE-2026-33939 is a high-severity Improper Check for Unusual or Exceptional Conditions (CWE-754) vulnerability in Handlebarsjs Handlebars. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 22.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-11 (Error Handling).
Deeper analysis
CVE-2026-33939 is a denial-of-service vulnerability in Handlebars.js, a templating engine for building semantic templates, affecting versions 4.0.0 through 4.7.8. The issue arises when a template contains decorator syntax referencing an unregistered decorator, such as `{{*n}}`. During compilation, the engine calls `lookupProperty(decorators, "n")`, which returns `undefined`, and then attempts to invoke it as a function. This triggers an unhandled `TypeError: ... is not a function`, crashing the Node.js process. Applications that compile user-supplied templates without wrapping the operation in a `try/catch` block are vulnerable.
The vulnerability has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and is associated with CWE-754 (Improper Check for Unusual or Exceptional Conditions). A remote unauthenticated attacker can exploit it by submitting a malicious template containing invalid decorator syntax to an endpoint that dynamically compiles and renders Handlebars templates. A single request is sufficient to crash the Node.js process, causing a denial of service.
The issue is fixed in Handlebars version 4.7.9. Advisories recommend upgrading to the patched version. Workarounds include wrapping template compilation and rendering in `try/catch` blocks, validating and rejecting user-supplied templates containing decorator syntax (`{{*...}}`) if decorators are not used, or adopting a pre-compilation workflow where templates are compiled at build time and only pre-compiled templates are served at runtime, avoiding `compile()` calls during requests. Relevant resources include the fix commit, release notes for v4.7.9, and the GitHub security advisory GHSA-9cx6-37pm-9jff.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-16858
Vulnerability details
Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, when a Handlebars template contains decorator syntax referencing an unregistered decorator (e.g. `{{*n}}`), the compiled template calls `lookupProperty(decorators, "n")`, which returns `undefined`. The runtime…
more
then immediately invokes the result as a function, causing an unhandled `TypeError: ... is not a function` that crashes the Node.js process. Any application that compiles user-supplied templates without wrapping the call in a `try/catch` is vulnerable to a single-request Denial of Service. Version 4.7.9 fixes the issue. Some workarounds are available. Wrap compilation and rendering in `try/catch`. Validate template input before passing it to `compile()`; reject templates containing decorator syntax (`{{*...}}`) if decorators are not used in your application. Use the pre-compilation workflow; compile templates at build time and serve only pre-compiled templates; do not call `compile()` at request time.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes a remote DoS triggered by submitting a malicious template to a public-facing application endpoint that invokes Handlebars.compile() without error handling; this directly matches application or system exploitation to crash the process and deny service (T1499.004).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Remediates the specific flaw in Handlebars versions 4.0.0-4.7.8 by requiring upgrade to 4.7.9, eliminating the unhandled TypeError crash from invalid decorator syntax.
Directly mitigates the DoS by requiring error handling such as try/catch around template compilation and rendering to prevent Node.js process crashes from unhandled TypeErrors.
Prevents exploitation by validating user-supplied templates and rejecting those containing decorator syntax like {{*n}} before passing to compile().