Trace37Labs

**Name of the Vulnerable Software and Affected Versions** Handlebars versions 4.0.0 through 4.7.8 **Description** Handlebars templates containing decorator syntax referencing an unregistered decorator (e.g., `{{*n}}`) can cause a Denial of Service. The compiled template calls `lookupProperty(decorators, "n")`, which returns `undefined`. The runtime then attempts to invoke this `undefined` value as a function, resulting in an unhandled `TypeError: ... is not a function` that crashes the Node.js process. Applications compiling user-supplied templates without error handling are susceptible to a single-request Denial of Service. The `lookupProperty()` function is involved in the process. An attacker can submit a malicious template like `{{*n}}` to an endpoint that calls `Handlebars.compile(userInput)()`, causing the server process to crash repeatedly if a process manager restarts it automatically. **Recommendations** Versions prior to 4.7.9 are affected. Wrap compilation and rendering in `try/catch` blocks. Validate template input before compilation and reject templates containing decorator syntax (`{{*...}}`) if decorators are not used. Use the pre-compilation workflow by compiling templates at build time and serving only pre-compiled templates; avoid calling `compile()` at request time.