Skip to content

CVE-2026-33939 (High) detected in handlebars-4.0.11.tgz #158

Description

@mend-for-github-com

CVE-2026-33939 - High Severity Vulnerability

Vulnerable Library - handlebars-4.0.11.tgz

Handlebars provides the power necessary to let you build semantic templates effectively with no frustration

Library home page: https://registry.npmjs.org/handlebars/-/handlebars-4.0.11.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/handlebars/package.json

Dependency Hierarchy:

  • lerna-3.2.1.tgz (Root Library)
    • version-3.2.0.tgz
      • conventional-commits-3.0.2.tgz
        • conventional-changelog-core-2.0.11.tgz
          • conventional-changelog-writer-3.0.9.tgz
            • handlebars-4.0.11.tgz (Vulnerable Library)

Found in HEAD commit: 540c99a1154755210d6564a50420589ebbf7f97c

Found in base branch: master

Vulnerability Details

Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, when a Handlebars template contains decorator syntax referencing an unregistered decorator (e.g. "{{n}}"), the compiled template calls "lookupProperty(decorators, "n")", which returns "undefined". The runtime then immediately invokes the result as a function, causing an unhandled "TypeError: ... is not a function" that crashes the Node.js process. Any application that compiles user-supplied templates without wrapping the call in a "try/catch" is vulnerable to a single-request Denial of Service. Version 4.7.9 fixes the issue. Some workarounds are available. Wrap compilation and rendering in "try/catch". Validate template input before passing it to "compile()"; reject templates containing decorator syntax ("{{...}}") if decorators are not used in your application. Use the pre-compilation workflow; compile templates at build time and serve only pre-compiled templates; do not call "compile()" at request time.

Publish Date: 2026-03-27

URL: CVE-2026-33939

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2026-03-27

Fix Resolution: https://github.com/handlebars-lang/handlebars.js.git - v4.7.9

Metadata

Metadata

Assignees

No one assigned

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions