Bug 2452525 (CVE-2026-33938) - CVE-2026-33938 handlebars: Handlebars: Arbitrary code execution via @partial-block overwrite
Summary: CVE-2026-33938 handlebars: Handlebars: Arbitrary code execution via @partial-...
Keywords:
Status: NEW
Alias: CVE-2026-33938
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2452590 2452592 2452602 2452608 2452613 2452617 2452631 2452633 2452636 2452651 2452594 2452621 2452627 2452646 2452654
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-03-27 22:03 UTC by OSIDB Bzimport
Modified: 2026-03-28 10:12 UTC (History)
27 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-03-27 22:03:22 UTC 
Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, the `@partial-block` special variable is stored in the template data context and is reachable and mutable from within a template via helpers that accept arbitrary objects. When a helper overwrites `@partial-block` with a crafted Handlebars AST, a subsequent invocation of `{{> @partial-block}}` compiles and executes that AST, enabling arbitrary JavaScript execution on the server. Version 4.7.9 fixes the issue. Some workarounds are available. First, use the runtime-only build (`require('handlebars/runtime')`). The `compile()` method is  absent, eliminating the vulnerable fallback path. Second, audit registered helpers for any that write arbitrary values to context objects. Helpers  should treat context data as read-only. Third, avoid registering helpers from third-party packages (such as `handlebars-helpers`) in  contexts where templates or context data can be influenced by untrusted input.
Note You need to log in before you can comment on or make changes to this bug.