Improper Check for Unusual or Exceptional Conditions Affecting handlebars package, versions >=4.0.0 <4.7.9
Threat Intelligence
Snyk has a proof-of-concept or detailed explanation of how to exploit this vulnerability.
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-JS-HANDLEBARS-15807042
- published29 Mar 2026
- disclosed27 Mar 2026
- credittrace37labs
Introduced: 27 Mar 2026
NewCVE-2026-33939 (opens in a new tab)How to fix?
Upgrade handlebars to version 4.7.9 or higher.
Overview
handlebars is an extension to the Mustache templating language.
Affected versions of this package are vulnerable to Improper Check for Unusual or Exceptional Conditions through the registerDecorator path in lib/handlebars/compiler/javascript-compiler.js. An attacker can crash the Node.js process by supplying a template with malformed or unregistered decorator syntax, causing the compiled template to call an undefined decorator as a function. This affects applications that compile untrusted templates at request time, especially when the compile/render call is not wrapped in try/catch. A single malicious template such as {{*n}} can trigger an unhandled TypeError and terminate the process.
**Workarounds**
- Wrap compilation and rendering in
try/catch. - Validate template input before passing it to
compile(), and reject decorator syntax if decorators are not used. - Use pre-compilation at build time and avoid calling
compile()on request-time input.