CVE-2026-33939

Name of the Vulnerable Software and Affected Versions Handlebars versions 4.0.0 through 4.7.8

Description Handlebars templates containing decorator syntax referencing an unregistered decorator (e.g., {{*n}}) can cause a Denial of Service. The compiled template calls lookupProperty(decorators, "n"), which returns undefined. The runtime then attempts to invoke this undefined value as a function, resulting in an unhandled TypeError: ... is not a function that crashes the Node.js process. Applications compiling user-supplied templates without error handling are susceptible to a single-request Denial of Service. The lookupProperty() function is involved in the process. An attacker can submit a malicious template like {{*n}} to an endpoint that calls Handlebars.compile(userInput)(), causing the server process to crash repeatedly if a process manager restarts it automatically.

Recommendations Versions prior to 4.7.9 are affected. Wrap compilation and rendering in try/catch blocks. Validate template input before compilation and reject templates containing decorator syntax ({{*...}}) if decorators are not used. Use the pre-compilation workflow by compiling templates at build time and serving only pre-compiled templates; avoid calling compile() at request time.