Description
Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, the `@partial-block` special variable is stored in the template data context and is reachable and mutable from within a template via helpers that accept arbitrary objects. When a helper overwrites `@partial-block` with a crafted Handlebars AST, a subsequent invocation of `{{> @partial-block}}` compiles and executes that AST, enabling arbitrary JavaScript execution on the server. Version 4.7.9 fixes the issue. Some workarounds are available. First, use the runtime-only build (`require('handlebars/runtime')`). The `compile()` method is absent, eliminating the vulnerable fallback path. Second, audit registered helpers for any that write arbitrary values to context objects. Helpers should treat context data as read-only. Third, avoid registering helpers from third-party packages (such as `handlebars-helpers`) in contexts where templates or context data can be influenced by untrusted input.
Published: 2026-03-27
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary JavaScript Execution on Server
Action: Immediate Patch
AI Analysis

Impact

A vulnerable version of the templating library allows engineered changes to a special context variable to inject a Handlebars Abstract Syntax Tree that is then compiled. This results in execution of arbitrary JavaScript code on the server, compromising confidentiality, integrity, and availability of the affected application. The weakness is categorized under CWE‑843, CWE‑917, and CWE‑94.

Affected Systems

All Node.js applications using Handlebars.js between versions 4.0.0 and 4.7.8, inclusive, are affected. The issue is resolved in 4.7.9 and later. Applications that embed third‑party helpers or allow untrusted data to influence template helpers are at greater risk.

Risk and Exploitability

The reported CVSS score is 8.1, indicating high severity. EPSS indicates less than 1% chance of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector requires the attacker to control template helper input or to supply malicious data to a helper that writes to the context; thus, environments that expose helper internals to untrusted data are the most susceptible.

Generated by OpenCVE AI on March 31, 2026 at 19:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Handlebars.js to version 4.7.9 or later.
  • If immediate upgrade is not possible, use the runtime‑only build by requiring 'handlebars/runtime', which removes the compile path used by the vulnerability.
  • Audit all registered helpers to ensure none write arbitrary values to context objects; remove or refactor those that do.
  • Treat context data as read‑only within all helpers.
  • Avoid registering third‑party helpers, such as from 'handlebars-helpers', when template or context data may come from untrusted sources.
  • Monitor the Handlebars project for any additional advisories or patches.

Generated by OpenCVE AI on March 31, 2026 at 19:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-3mfm-83xf-c92r Handlebars.js has JavaScript Injection via AST Type Confusion by tampering @partial-block
History

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 31 Mar 2026 18:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:handlebarsjs:handlebars:*:*:*:*:*:node.js:*:*

Mon, 30 Mar 2026 08:15:00 +0000

Type Values Removed Values Added
First Time appeared Handlebarsjs
Handlebarsjs handlebars
Vendors & Products Handlebarsjs
Handlebarsjs handlebars

Sat, 28 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-917
References
Metrics threat_severity

None

 threat_severity

Important

Sat, 28 Mar 2026 03:15:00 +0000

Type Values Removed Values Added
Description Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, the `@partial-block` special variable is stored in the template data context and is reachable and mutable from within a template via helpers that accept arbitrary objects. When a helper overwrites `@partial-block` with a crafted Handlebars AST, a subsequent invocation of `{{> @partial-block}}` compiles and executes that AST, enabling arbitrary JavaScript execution on the server. Version 4.7.9 fixes the issue. Some workarounds are available. First, use the runtime-only build (`require('handlebars/runtime')`). The `compile()` method is absent, eliminating the vulnerable fallback path. Second, audit registered helpers for any that write arbitrary values to context objects. Helpers should treat context data as read-only. Third, avoid registering helpers from third-party packages (such as `handlebars-helpers`) in contexts where templates or context data can be influenced by untrusted input.
Title Handlebars.js has JavaScript Injection via AST Type Confusion by tampering @partial-block
Weaknesses CWE-843
CWE-94
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Handlebarsjs Handlebars
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-01T03:55:42.796Z

Reserved: 2026-03-24T19:50:52.103Z

Link: CVE-2026-33938

cve-icon Vulnrichment

Updated: 2026-03-31T19:08:38.425Z

cve-icon NVD

Status : Modified

Published: 2026-03-27T21:17:27.587

Modified: 2026-03-31T20:16:27.767

Link: CVE-2026-33938

cve-icon Redhat

Severity : Important

Publid Date: 2026-03-27T21:05:42Z

Links: CVE-2026-33938 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-31T20:00:40Z

Weaknesses