Description
Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, when a Handlebars template contains decorator syntax referencing an unregistered decorator (e.g. `{{*n}}`), the compiled template calls `lookupProperty(decorators, "n")`, which returns `undefined`. The runtime then immediately invokes the result as a function, causing an unhandled `TypeError: ... is not a function` that crashes the Node.js process. Any application that compiles user-supplied templates without wrapping the call in a `try/catch` is vulnerable to a single-request Denial of Service. Version 4.7.9 fixes the issue. Some workarounds are available. Wrap compilation and rendering in `try/catch`. Validate template input before passing it to `compile()`; reject templates containing decorator syntax (`{{*...}}`) if decorators are not used in your application. Use the pre-compilation workflow; compile templates at build time and serve only pre-compiled templates; do not call `compile()` at request time.
Published: 2026-03-27
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch
AI Analysis

Impact

The vulnerability occurs when a Handlebars template contains decorator syntax that references an unregistered decorator, causing an undefined value to be invoked as a function during compilation. This triggers an unhandled TypeError, crashing the Node.js process and resulting in a denial of service. The weakness involves unexpected type usage and lack of exception handling, corresponding to common error handling failures.

Affected Systems

Handlbars.js versions 4.0.0 through 4.7.8 from the handlebars-lang project are affected. Any Node.js application that compiles user-supplied templates using these versions without proper safeguards is at risk. The flaw was remedied in version 4.7.9.

Risk and Exploitability

Based on the CVSS score of 7.5, the flaw carries high severity, while the EPSS score of less than 1% suggests a low probability of real‑world exploitation. It is not listed in the CISA KEV catalog. Nonetheless, if an application compiles templates on request from untrusted input, an attacker can trigger the crash by sending a template containing malformed decorator syntax such as '{{*n}}', thereby causing repeated service interruptions. The lack of defensive coding and the potential to crash the entire process amplifies the impact of the vulnerability.

Generated by OpenCVE AI on March 31, 2026 at 19:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Handlebars to version 4.7.9 or later
  • Wrap calls to compile() and rendering in try/catch blocks
  • Validate template input before compilation; reject any template containing decorator syntax if decorators are not used
  • Adopt a pre‑compilation workflow to compile templates offline and serve only pre‑compiled templates
  • Check the vendor’s website for additional patches or updates

Generated by OpenCVE AI on March 31, 2026 at 19:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-9cx6-37pm-9jff Handlebars.js has Denial of Service via Malformed Decorator Syntax in Template Compilation
History

Tue, 31 Mar 2026 18:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:handlebarsjs:handlebars:*:*:*:*:*:node.js:*:*

Mon, 30 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 30 Mar 2026 08:15:00 +0000

Type Values Removed Values Added
First Time appeared Handlebarsjs
Handlebarsjs handlebars
Vendors & Products Handlebarsjs
Handlebarsjs handlebars

Sat, 28 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-248
References
Metrics threat_severity

None

 threat_severity

Important

Sat, 28 Mar 2026 03:15:00 +0000

Type Values Removed Values Added
Description Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, when a Handlebars template contains decorator syntax referencing an unregistered decorator (e.g. `{{*n}}`), the compiled template calls `lookupProperty(decorators, "n")`, which returns `undefined`. The runtime then immediately invokes the result as a function, causing an unhandled `TypeError: ... is not a function` that crashes the Node.js process. Any application that compiles user-supplied templates without wrapping the call in a `try/catch` is vulnerable to a single-request Denial of Service. Version 4.7.9 fixes the issue. Some workarounds are available. Wrap compilation and rendering in `try/catch`. Validate template input before passing it to `compile()`; reject templates containing decorator syntax (`{{*...}}`) if decorators are not used in your application. Use the pre-compilation workflow; compile templates at build time and serve only pre-compiled templates; do not call `compile()` at request time.
Title Handlebars.js has Denial of Service via Malformed Decorator Syntax in Template Compilation
Weaknesses CWE-754
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Handlebarsjs Handlebars
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-30T18:52:24.142Z

Reserved: 2026-03-24T19:50:52.103Z

Link: CVE-2026-33939

cve-icon Vulnrichment

Updated: 2026-03-30T18:51:05.796Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-27T22:16:20.857

Modified: 2026-03-31T17:50:47.520

Link: CVE-2026-33939

cve-icon Redhat

Severity : Important

Publid Date: 2026-03-27T21:08:24Z

Links: CVE-2026-33939 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-31T20:00:39Z

Weaknesses