CVE-2026-33939: Handlebars.js has Denial of Service via Malformed Decorator Syntax in Template Compilation
(updated )
When a Handlebars template contains decorator syntax referencing an unregistered decorator (e.g. {{*n}}), the compiled template calls lookupProperty(decorators, "n"), which returns undefined. The runtime then immediately invokes the result as a function, causing an unhandled TypeError: ... is not a function that crashes the Node.js process. Any application that compiles user-supplied templates without wrapping the call in a try/catch is vulnerable to a single-request Denial of Service.
References
- github.com/advisories/GHSA-9cx6-37pm-9jff
- github.com/handlebars-lang/handlebars.js
- github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2
- github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9
- github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-9cx6-37pm-9jff
- nvd.nist.gov/vuln/detail/CVE-2026-33939
Code Behaviors & Features
Detect and mitigate CVE-2026-33939 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →