Time-of-check Time-of-use (TOCTOU) Race Condition in handlebars

Q: How to fix?

Upgrade handlebars to version 4.7.9 or higher.

Threat Intelligence

Proof of Concept

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Time-of-check Time-of-use (TOCTOU) Race Condition vulnerabilities in an interactive lesson.

Start learning

Snyk IDSNYK-JS-HANDLEBARS-15813000
published30 Mar 2026
disclosed29 Mar 2026
creditLetaoZhao

Report a new vulnerability Found a mistake?

Introduced: 29 Mar 2026

NewCWE-367 (opens in a new tab)

How to fix?

Upgrade handlebars to version 4.7.9 or higher.

Overview

handlebars is an extension to the Mustache templating language.

Affected versions of this package are vulnerable to Time-of-check Time-of-use (TOCTOU) Race Condition in the lookup function. An attacker can access properties that should be restricted by bypassing prototype-access controls through a time-of-check time-of-use (TOCTOU) flaw, where the security check and the actual property access are decoupled.

Note: This is only exploitable if the { compat: true } compile option is enabled.

Workaround

This vulnerability can be mitigated by avoiding the { compat: true } option and ensuring context data objects are plain JSON without Proxies or getter-based accessor properties.

References

GitHub Commit

CVSS Base Scores

version 4.0

version 3.1

Attack Vector (AV)
Network
Attack Complexity (AC)
Low
Attack Requirements (AT)
Present
Privileges Required (PR)
None
User Interaction (UI)
None

Confidentiality (VC)
Low
Integrity (VI)
None
Availability (VA)
None

Confidentiality (SC)
None
Integrity (SI)
None
Availability (SA)
None

Time-of-check Time-of-use (TOCTOU) Race Condition Affecting handlebars package, versions >=4.0.0 <4.7.9

Severity