CVE-2026-33937

Name of the Vulnerable Software and Affected Versions Handlebars versions 4.0.0 through 4.7.8

Description Handlebars allows Remote Code Execution (RCE) through a crafted Abstract Syntax Tree (AST) object. The Handlebars.compile() function accepts either a template string or a pre-parsed AST. When an AST is supplied, the value field of a NumberLiteral AST node is emitted directly into the generated JavaScript without proper sanitization. This allows an attacker who can supply a crafted AST to compile() to inject and execute arbitrary JavaScript code on the server. The vulnerable code path resides in lib/handlebars/compiler/javascript-compiler.js, where NumberLiteral values are appended to the generated code without escaping. Any endpoint that deserializes user-controlled JSON and passes the result directly to Handlebars.compile() is potentially exploitable. An attacker can leverage this to execute commands on the server, as demonstrated by a proof of concept that uses process.getBuiltinModule('child process').execFileSync('id') to execute the 'id' command.

Recommendations Handlebars versions prior to 4.7.9 are affected. Validate input type before calling Handlebars.compile(): ensure the argument is always a string, never a plain object or JSON-deserialized value. Use the Handlebars runtime-only build (handlebars/runtime) on the server if templates are pre-compiled at build time; compile() will be unavailable.