CVE-2026-33939

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-33939
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33939.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-33939
Aliases
Downstream
Related
Published
2026-03-27T21:08:24.664Z
Modified
2026-04-10T05:43:19.969097Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
Handlebars.js has Denial of Service via Malformed Decorator Syntax in Template Compilation
Details

Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, when a Handlebars template contains decorator syntax referencing an unregistered decorator (e.g. {{*n}}), the compiled template calls lookupProperty(decorators, "n"), which returns undefined. The runtime then immediately invokes the result as a function, causing an unhandled TypeError: ... is not a function that crashes the Node.js process. Any application that compiles user-supplied templates without wrapping the call in a try/catch is vulnerable to a single-request Denial of Service. Version 4.7.9 fixes the issue. Some workarounds are available. Wrap compilation and rendering in try/catch. Validate template input before passing it to compile(); reject templates containing decorator syntax ({{*...}}) if decorators are not used in your application. Use the pre-compilation workflow; compile templates at build time and serve only pre-compiled templates; do not call compile() at request time.

Database specific 
{
    "cwe_ids": [
        "CWE-754"
    ],
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33939.json"
}
References

Affected packages

Git / github.com/handlebars-lang/handlebars.js

Affected ranges

Type
GIT
Repo
https://github.com/handlebars-lang/handlebars.js
Events
Introduced
bff5fab8f9d42e21950be00dcf1cedf4dc1a565b
Fixed
dce542c9a660048d31f0981ac8a45c08b919bddb
Database specific 
{
    "versions": [
        {
            "introduced": "4.0.0"
        },
        {
            "fixed": "4.7.9"
        }
    ]
}

Affected versions

v4.*
v4.0.0
v4.0.1
v4.0.10
v4.0.11
v4.0.12
v4.0.2
v4.0.3
v4.0.4
v4.0.5
v4.0.6
v4.0.7
v4.0.8
v4.0.9
v4.1.1
v4.1.2
v4.1.2-0
v4.2.0
v4.2.1
v4.3.0
v4.3.1
v4.3.2
v4.3.3
v4.3.4
v4.4.0
v4.4.1
v4.4.2
v4.4.3
v4.5.0
v4.5.1
v4.5.2
v4.5.3
v4.6.0
v4.7.0
v4.7.1
v4.7.2
v4.7.3
v4.7.4
v4.7.5
v4.7.6
v4.7.7
v4.7.8

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33939.json"