Bug 2452508 (CVE-2026-33939) - CVE-2026-33939 handlebars.js: Handlebars.js: Denial of Service via malformed decorator syntax in template compilation
Summary: CVE-2026-33939 handlebars.js: Handlebars.js: Denial of Service via malformed ...
Keywords:
Status: NEW
Alias: CVE-2026-33939
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2452593 2452599 2452609 2452611 2452623 2452626 2452647 2452650 2452653 2452659 2452603 2452629 2452637 2452657 2452661
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-03-27 22:02 UTC by OSIDB Bzimport
Modified: 2026-03-28 10:13 UTC (History)
27 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-03-27 22:02:05 UTC 
Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, when a Handlebars template contains decorator syntax referencing an unregistered decorator (e.g. `{{*n}}`), the compiled template calls `lookupProperty(decorators, "n")`, which returns `undefined`. The runtime then immediately invokes the result as a function, causing an unhandled `TypeError: ... is not a function` that crashes the Node.js process. Any application that compiles user-supplied templates without wrapping the call in a `try/catch` is vulnerable to a single-request Denial of Service. Version 4.7.9 fixes the issue. Some workarounds are available. Wrap compilation and rendering in `try/catch`. Validate template input before passing it to `compile()`; reject templates containing  decorator syntax (`{{*...}}`) if decorators are not used in your application. Use the pre-compilation workflow; compile templates at build time and serve only pre-compiled  templates; do not call `compile()` at request time.
Note You need to log in before you can comment on or make changes to this bug.